Introduction
The extension tracks products in our Vendor Database; for example, if you use ChatGPT, Trello, or Slack via your browser, that information gets sent to Substly.
Substly capture as little data as possible to determine if a B2B SaaS tool is used. If you read your local online newspaper or access any other website on the internet that is not business software, the extension will not track that, and no data is sent to or stored by us.
Substly doesnât capture any content on the pages you visit; if there is a match against our database, the only information captured is the first part of the URL (up to the query; see the image below for more details).
The data sent from the extension to Substly gives your company's management team usage insights, helping them understand and optimize your company's digital work environment.
đ How Substlyâs Extension Works and What It Logs
Companies use Substly to evaluate and improve their employeesâ digital work environment in a structured way.
If your company uses Microsoft Intune or another MDM system, itâs worth noting that those systems make a deeper intrusion into personal privacy than Substlyâs browser extension. Substly helps companies gain insights into which B2B services employees use in their browsersâstrengthening both information security and compliance.
However, itâs essential to understand what is logged and how:
â Substly logs as little data as possible, just enough to assess whether a service is actively being used. For example, we do not log how much time an employee spends using a serviceâonly if a specific service was used by a specific employee on a specific day.
đ All matching happens locally in the browser. This means we donât monitor general web browsing, only visits to B2B services in our database with active URL monitoring rules.
𧩠When a match occurs, only the first part of the URL (up to the query string) is sent to Substly. This minimizes the risk of logging sensitive data or revealing user behavior.
đŒ Substly only monitors B2B SaaS tools. If a SaaS service can be used for personal and business purposes, we only monitor the business-relevant parts of the tool, and only if we can reliably separate them.
đ§ââïž Employees who want to use their work browser without Substly monitoring their use of B2B toolsâfor example, during breaks or when using the device for personal tasksâcan do so by:
Using a different browser than the one(s) with the Substly extension installed
Using a separate browser profile (e.g., in Chrome or Edge)
Using incognito/private mode
đ§ How the Logged Data Is Used
The insights from the extension can help your organization:
Identify opportunities to improve the digital work environment
Spot knowledge gaps and training needs
Reduce tool overlap, prevent data sprawl, and improve efficiency
Identify unused licenses and free up budget for more fun stuff đ
âïž Settings That Affect What Gets Monitored
There are settings in Substly that allow you to control whatâs being monitored.
For example, you can turn off Shadow IT detection. Substly will only monitor the services listed on your "Approved Services" page. To change this:
Go to Substly > Extension > Settings
Uncheck the box for Shadow IT
You can also request custom monitoring for specific tools or URLs only. This canât be configured in the app, but our team can set it up manually for you. If you're interested, just reach out to our support team.
đĄïž Why Shadow IT Detection Supports Compliance and Certifications
Many companies today aim to comply with regulations and frameworks such as:
NIS2 (EU-wide cybersecurity directive)
DORA (Digital Operational Resilience Act)
ISO 27001 and other ISO standards
SOC 2
GDPR (especially vendor-related responsibilities under Article 28)
All of these places increased demands on organizations to:
Maintain an up-to-date register of all third-party services (especially cloud-based/SaaS tools)
Understand and document how data is processed, by whom, and where
Ensure vendors meet certain security and compliance standards
The challenge?
Most organizations can only list the tools they know about. But from a compliance perspective, that's not enough. You also need to be able to identify unknown or unsanctioned toolsâsometimes referred to as Shadow IT.
Substlyâs browser extension helps fill that gap by detecting usage of unapproved B2B services, giving you the insights you need to:
Build a complete vendor inventory
Evaluate vendors against your compliance and security policies
Take action on unsanctioned or risky tools