Trust & Security

SubstantiatePro is built for regulatory and quality teams who hold their vendors to the same standard they hold their products. Here is how we protect your data and your work.

1. Your data is never used to train AI

We do not use your content to train any AI models, our own or our providers’. This is contractual, not just policy, and it extends to our AI subprocessors.

2. Tenant isolation

Every account’s data is scoped and access-controlled at the organization level across all application routes, so one customer’s products, claims, and studies are never visible to another.

3. Encryption

Data is encrypted in transit and at rest.

4. Private file storage

Uploaded labels, studies, and documents are stored in private storage and served only through short-lived signed URLs. Uploads are validated by type and size before they are accepted.

5. Approval controls and audit trail

Sign-offs require password re-authentication, submitters cannot approve their own work, and every approval, override, and revision is logged with the user, time, and rationale.

6. Application security

Parameterized database queries, output escaping, request rate limiting, and protection against server-side request forgery are in place across the platform. Dependencies are monitored and updated for known vulnerabilities.

7. Data retention and deletion

Account information is deleted 90 days after termination. Your content is available for export for 30 days after termination, then permanently deleted.