Security is central to how we work. Because we operate inside our clients' CRMs and connected systems, we hold ourselves to a high standard for protecting data and access. This page explains the measures we take. To report a vulnerability, email thorstein.nordby@superwork.co.
1. Hosting and infrastructure
Our website and tooling run on reputable cloud providers with strong physical and network security and recognised certifications (such as SOC 2 and ISO 27001). Where we have a choice, we prefer providers and regions within the EU/EEA.
2. Encryption
Data is encrypted in transit using TLS (HTTPS) across our website and the services we use, and encrypted at rest by the platforms that store it. We do not transmit sensitive credentials over unencrypted channels.
3. Access control and least privilege
Access to client systems and internal tools is granted on a least-privilege basis — people get only the access they need, for as long as they need it. Access is reviewed regularly and revoked promptly when no longer required or when someone leaves.
4. Authentication
We enforce strong authentication on critical systems, including multi-factor authentication (MFA) and the use of password managers. We never share individual login credentials and prefer single sign-on (SSO) and scoped, app-level access where available.
5. HubSpot and sub-processors
When we work in a client's HubSpot portal or connected systems, we operate with scoped permissions granted by the client and follow the platform's security model. We rely on established sub-processors — such as HubSpot, Google and our hosting providers — that maintain their own recognised security certifications and data-protection commitments.
6. Monitoring and logging
We rely on the logging and monitoring provided by our platforms to detect unusual activity, and we keep an eye on access to sensitive systems. Administrative actions in client portals are attributable to individual accounts.
7. Vulnerability and patch management
We keep our devices, browsers and tooling up to date, apply security updates promptly, and favour vendors who patch quickly. Custom integrations we build are maintained to remain compatible with platform security changes over time.
8. Backups and resilience
The platforms we build on provide redundancy and backups. For custom work, we keep configuration and code in version control so that integrations and customisations can be restored or rebuilt if needed.
9. Incident response and breach notification
If we become aware of a security incident affecting personal data, we will investigate, contain and remediate it, and notify affected clients without undue delay. Where the GDPR applies, we support timely notification to the relevant supervisory authority — within 72 hours where required.
10. People and training
Security is everyone's responsibility. Our team follows good security hygiene — strong, unique passwords, MFA, encrypted devices, and care with phishing and social engineering — and we keep awareness current.
11. Data minimisation and privacy by design
We collect and retain only the data we need, and we design integrations and workflows to limit unnecessary exposure of personal data. See our Privacy Policy for how we handle personal data.
12. Responsible disclosure
If you believe you have found a security vulnerability in our website or a system we manage, please report it to thorstein.nordby@superwork.co. We ask that you give us a reasonable opportunity to investigate and fix the issue before disclosing it publicly, and that you avoid accessing or modifying data that is not yours. We appreciate responsible disclosure and will work with you in good faith.
13. Compliance
We process personal data in line with the EU/EEA General Data Protection Regulation (GDPR). For details on data handling, legal bases and your rights, see our Privacy Policy.
14. Contact us
For security questions or reports, email thorstein.nordby@superwork.co. For anything else, visit our contact page.