Substrate

Security

Security is infrastructure

Substrate is built for teams handling sensitive data and regulated workloads. Compliance, encryption, and physical security are foundational — not bolt-on features.

Compliance certifications

SOC 2 Type II

Independently audited by a Big Four firm. Our SOC 2 Type II report covers security, availability, and confidentiality trust service criteria. Report available under NDA for customers on Pro and Enterprise plans.

HIPAA Compliant

Business Associate Agreements (BAAs) available for healthcare and regulated workloads. PHI is never stored, logged, or retained on our systems. HIPAA compliance is available on Pro and Enterprise plans.

Zero data logging policy

Substrate operates a strict separation between infrastructure telemetry and workload data. We collect the minimum data needed to operate the platform reliably and bill accurately. We never inspect, store, or retain your workload content.

What we do collect

Infrastructure telemetry only

  • Instance lifecycle events (created, started, stopped, deleted)
  • Resource allocation and billing metrics
  • API request metadata (endpoint, status code, latency)
  • Infrastructure health telemetry (CPU/GPU utilization, uptime)

What we never collect

Your data stays yours

  • Workload data, model weights, or training datasets
  • Network traffic content or payload inspection
  • File system contents or user-created artifacts
  • SSH session content or terminal commands
  • Environment variables or application secrets

Encryption

Data is encrypted at every layer — at rest, in transit, and during computation.

AES-256-GCM

At rest

All persistent storage volumes are encrypted with AES-256-GCM. Keys are managed via a dedicated HSM with automatic rotation every 90 days.

TLS 1.3

In transit

All API, CLI, and inter-service communication uses TLS 1.3 with forward secrecy. We do not support deprecated cipher suites or protocol versions.

Secure enclaves

At compute

GPU memory is isolated per tenant using hardware-level memory protection. Instance teardown includes cryptographic memory erasure within seconds.

Physical security

Substrate infrastructure is housed in Lefdal Mine Datacenter — a former NATO facility in Måløy, Norway, built inside a mountain of solid rock. Physical security measures include:

  • Underground rock facility with controlled access points
  • 24/7 CCTV monitoring with on-site security personnel
  • Multi-factor biometric access control
  • Tier III equivalent redundancy and uptime guarantees
  • Dedicated fire suppression and environmental monitoring
  • 100% renewable hydroelectric power with redundant grid connections

Responsible disclosure

Found a vulnerability? We appreciate responsible disclosure and respond to all reports within 24 hours.

security@onsubstrate.run