Introducing Substrate Agents for Kubernetes optimizationLearn more

Security & Compliance

Enterprise security, built in from day one

Granular access control, encrypted secrets, comprehensive audit trails, and network security. Everything you need to meet compliance requirements and keep your infrastructure secure.

Start free Security docs

Access Control

Granular permissions for every team member

Substrate's role-based access control gives you fine-grained control over who can do what in your infrastructure. Assign roles at the organization, project, or individual resource level, and create custom roles tailored to your team's workflow.

  • Organization, project, and resource-level permissions
  • Custom roles with fine-grained actions
  • Team member management with role assignment
  • Permission inheritance and overrides

Permission Matrix

RoleClustersDeploySecretsBillingMembers
Owner
Admin
Developer
Viewer

DATABASE_URL

Production

Active

STRIPE_SECRET_KEY

Production

Active

AWS_ACCESS_KEY

Organization

Rotating

OLD_API_KEY

Staging

Revoked

Secrets Management

Encrypted secrets, zero exposure

Store sensitive credentials, API keys, and connection strings with AES-256 encryption at rest. Substrate manages the full lifecycle of your secrets, from creation and rotation to revocation, with every access logged for compliance.

  • AES-256 encryption at rest
  • Scoped to organization, project, or account
  • Secret rotation with zero downtime
  • Status management (active, disabled, revoked)
  • Audit logging for every secret access

Audit Trails

Every action, logged and searchable

Substrate records every API call, configuration change, and access event with complete context. Built for compliance auditors who need proof and engineers who need answers fast.

TimestampActorActionResourceIP Address
2024-01-15 14:32:08sarah@co.comcluster.scaleprod-eks-01198.51.100.42
2024-01-15 14:28:41ci-pipelinedeployment.createapi-service203.0.113.5
2024-01-15 14:15:22james@co.comsecret.rotatedb-credentials192.0.2.88
2024-01-15 13:59:03admin@co.commember.invitedev@co.com198.51.100.42

Multi-Factor Authentication

MFA for every account

Protect every account with time-based one-time passwords (TOTP) using any standard authenticator app. Organization administrators can enforce MFA policies to ensure every team member has a second factor enabled before accessing infrastructure.

  • TOTP authenticator app support
  • Backup codes for account recovery
  • Enforced MFA policies across organizations
  • Secure session management with configurable expiry

Enter verification code

Open your authenticator app

4
7
2
9
1
8
Verify

Firewall Rules

Allow Office VPN

10.0.0.0/8

TCP:443Enabled

Allow CI Pipeline

203.0.113.0/24

TCP:6443Enabled

Allow Monitoring

192.168.1.0/24

TCP:9090Enabled

Legacy Access

172.16.0.0/16

TCP:8080Disabled

Network Security

Firewall rules at the cluster level

Define IP-based firewall rules that control access to your Kubernetes API servers. Substrate syncs firewall rules with your cloud provider's native security groups, so you get defense in depth without managing multiple configuration surfaces.

  • IP and CIDR-based firewall rules
  • Protocol and port configuration
  • Cloud provider firewall sync
  • Rule enable and disable without deletion

Secure your infrastructure today

Enterprise-grade security is included in every Substrate plan. Start with RBAC, secrets management, and audit trails from day one.

Start free