Security & the data boundary
We store metadata, not evidence
Substantively holds project plans, task states, control test conclusions, issues, time entries, and an activity trail. Your audit evidence and workpapers never leave your Microsoft 365 tenant: documents are linked by reference (a SharePoint URL and file identifiers), and clicking a link opens the file in your own tenant under your own permissions. This product has no file upload, no blob storage, and no document content persistence — architecturally, not as a policy.
Tenant isolation is enforced by the database
Every tenant-scoped table carries your organization ID and a Postgres Row-Level Security policy. The application connects with a database role that cannot bypass these policies, so a query outside your organization's context returns nothing — even if application code had a bug.
The activity log is append-only
The application's database role holds no UPDATE or DELETE privilege on the activity log. Once written, an entry cannot be altered through the application — by us or by you.
Authentication without passwords
Sign-in is via your Microsoft work account (Entra ID) or an email magic link, handled by Clerk. We never store passwords. SharePoint access uses delegated permissions acting as the signed-in user — reading file names for linking, and creating folders, template copies, and uploads inside your tenant. Uploads travel directly from the user's browser to SharePoint; file content never passes through or rests on our servers, and our CI fails any change that tries. Refresh tokens are encrypted at rest (AES-256-GCM).
Sub-processors
The metadata we do hold is processed by a deliberately short list of providers:
| Provider | Purpose | Optional? |
|---|---|---|
| Clerk | Authentication & organization membership | Required |
| Managed PostgreSQL (Neon / Azure) | Application database | Required |
| Paddle | Billing (merchant of record) | SaaS plan only |
| Resend | Transactional email (weekly digest) | Optional |
| Sentry | Error monitoring | Optional |
Microsoft Graph is not a sub-processor: it is your own tenant, accessed with your own users' consent.
Run it in your own cloud
Substantively is a single deployable unit — one application and one PostgreSQL database. For organizations that want the metadata in their own environment too, it deploys as a dedicated single-tenant instance in your cloud subscription, with billing, email, and telemetry disabled. Ask us about enterprise licensing.