Security

Last updated: June 2026

This page describes how we protect your data today, in plain terms. We are a small, invitation-only operation working with a few organizations at a time, so we have written what is actually true of the system as it runs now, and nothing more. Where a practice is a deliberate design choice rather than a control we bolt on later, we say so.

Security by design, not by addition

The most useful thing we can tell you about our security is what the system never touches. submove is a decision-intelligence diagnostic, a flight simulator for organizational decisions. It plays a named change forward across a model of your organization and reports the likely stress, morale, trust and performance trajectories before the decision is made. To do that well it needs the shape of your organization, not the identities of the people in it. So the model is built to run without employee personal data at all. Most of the protections below exist to keep the small amount of data we do hold isolated, encrypted and reachable only by the people running your engagement.

Data isolation and row-level security

Your data lives in a Supabase Postgres database protected by row-level security (RLS). RLS is enforced in the database itself, not just in application code, so a query can only ever return rows the requesting session is explicitly entitled to. Each organization's data is isolated behind these policies, which means one client cannot read, write or even detect another client's records.

Files you provide for an engagement are kept in per-engagement isolated storage, governed by the same access rules. Storage paths are scoped per engagement so that one engagement's uploads are not addressable from another. When an engagement ends, its data can be retired on request rather than lingering in a shared pool.

Passwordless authentication

Sign-in to the client portal is passwordless. We send a one-time magic link to your work email, handled by Supabase auth, and that link is the whole of the sign-in. There are no passwords anywhere in the system, which means there are no passwords to guess, reuse, leak in a breach elsewhere, or phish for reset. The practical details:

• Magic links are single-use and expire roughly 60 minutes after they are issued.
• There is no self-signup. Accounts are created by admin invitation only, so only people we have deliberately added can reach the portal.
• A successful sign-in establishes a session token held in your browser's storage. Keeping that session beyond the current visit is opt-in, through a "keep me signed in" choice, and you can end a session at any time by signing out.

Access control and least privilege

Access to client data is limited to the people who need it to run your engagement, and no further. Administrative actions, such as inviting a portal user, are restricted to a small number of operator accounts. The row-level security policies above mean that even an authenticated session is confined to its own organization's data; privilege is granted narrowly and by intent rather than assumed by default.

Least data, and no personal data in the model

We hold as little sensitive data as the work allows, and the model itself holds none. submove resolves your organization into anonymous, governed individual profiles placed inside your real reporting network, with personality treated as a moderator only. Those profiles are role-coded and use masked identifiers; no personally identifying information about your employees is used in the model. It is calibrated on 1,102 pooled studies of organizational behavior, so the behavioral assumptions come from that research base rather than from profiling named people.

The information we do hold is mostly account and engagement data: the files you choose to provide, the intake self-assessments you complete, the simulation runs produced from them, and your account email and display name. How that information is collected, used and retained is described in our privacy policy.

Strict content security policy and self-hosted code

The site runs under a strict Content-Security-Policy. Scripts, styles and fonts are loaded from our own origin only; we do not pull code or fonts from third-party CDNs. Network access from the page is limited to our own backend. In practice this means there are no third-party scripts running in the background of the portal, which removes an entire class of supply-chain and tracking risk that comes with embedded external code.

Self-hosting the front-end code also means what runs in your browser is what we shipped and reviewed, not whatever a remote provider served that day.

Encryption in transit and at rest

All traffic to the site and the portal is served over HTTPS, so data moving between your browser and our backend is encrypted in transit with TLS. Data at rest is encrypted using the managed-platform defaults of our hosting providers: Cloudflare for the front-end and Supabase for the database, storage and authentication. We rely on these established providers for disk-level encryption and key management rather than rolling our own.

Hosting and sub-processors

We keep our infrastructure deliberately small and run it on two established providers. These are our sub-processors:

We do not add sub-processors casually. If that list changes in a way that affects client data, we will update this page. A Data Processing Addendum naming these sub-processors is available on request for organizations that need one.

Backups and availability

The database and stored files sit on Supabase's managed Postgres and storage, which provide managed backups and point-in-time recovery as part of the platform; the front-end is delivered through Cloudflare's global network. We rely on these managed services for redundancy and recovery rather than running our own backup infrastructure. Because submove is a consulting-led diagnostic used in scheduled engagements rather than a real-time production dependency, a brief interruption affects a rehearsal, not a live operation.

Certifications and assurance

We will be straight with you: we are a small operation and we do not currently hold formal certifications such as SOC 2 or ISO 27001, and we will not claim badges we have not earned. What we offer instead is the concrete set of practices on this page, a system designed to hold very little sensitive data, and a willingness to answer specific security questions directly. Formal certification, third-party assessment, or a security questionnaire and DPA can be discussed as part of an engagement where your organization requires it.

What we do not do

Some of the clearest commitments are about what is absent by design:

• No tracking cookies and no cookie banner, because there is nothing non-essential to track.
• No advertising pixels and no third-party analytics ad-tech.
• No visitor profiling on the marketing site.
• No selling, renting or sharing of your data for marketing.
• No employee personal data in the model, and no individual scoring used for hiring, firing, promotion or any HR action.

Reporting a vulnerability

If you believe you have found a security issue, we want to hear from you. Please email us with enough detail to reproduce the problem and give us a reasonable opportunity to investigate and fix it before disclosing it publicly. We will acknowledge legitimate reports, keep you updated as we work through them, and we will not pursue good-faith research that respects this process and avoids harm to data or service availability.

Send reports to contact@submove.io.

Security contact

For security questions, assessments, or to request a DPA or a copy of our practices for your procurement process, contact contact@submove.io. For questions about how we handle personal information specifically, see the privacy policy.