You pay for the seats we manage — not every time we revoke one. Two self-serve tiers, one enterprise contract, one free pilot window for early teams. Cancel in one click, keep your audit log.
For teams starting to automate their first three portals.
Production offboardings across the full IAM surface area.
Hard compliance. Self-hosted Vault. Custom policy packs.
| Compare | Starter | Business | Enterprise |
|---|---|---|---|
| Portal connectors | 3 of your choice | All (10+) | All · custom |
| HRIS sources | One | Unlimited | Unlimited · custom |
| OPA policy authoring | Default pack | Custom Rego | Custom policy packs |
| Audit log retention | 90 days | 7 years | Configurable |
| HITL multi-approver | – | ✓ | ✓ |
| SSO for admins | soon | SAML · OIDC | SAML · OIDC · SCIM |
| SOC 2 | – | Type 1 report | Type 2 · ISO 27001 |
| SLA | Best-effort | 99.9% | Custom |
| Deployment | Shared cloud | Dedicated tenant | Self-host · VPC peering |
| Support | Email · 48h | Priority · 4h | Named architect |
| Minimum seats | 10 | 50 | Negotiated |
Any active seat we're watching — typically the headcount synced from your HRIS every 24 hours. Contractors and part-time staff in HRIS count; people you've already terminated don't. We take the daily maximum over each month and round to the nearest 10.
Per-offboarding sounds fair but incentivises you to delete less. We charge for the surface area we protect, the audit log we keep, and the policy engine we run continuously. Offboardings are the visible moment; provisioning, approvals, and audit happen every day.
We continue to bill the last known seat count — otherwise there's an obvious incentive to unplug before invoicing. Reconnect at any time and the count resumes from the live feed. A 7-day grace period applies for good-faith outages, documented in your Service Order.
No. We call Okta, Microsoft Graph, Salesforce, and the rest using your OAuth credentials. We pay nothing to them and neither do you for the calls. Your existing license agreements are unchanged.
Yes — on Enterprise. The stack ships as Docker images plus a Helm chart: Gatekeeper, Doer Agent, Licensing Orchestrator, Zero-Trust Audit, OPA, Vault, Postgres, Redis, Kafka (Redpanda works). All inside your VPC; we never see your data.
The AI only parses — it never decides. Every action goes through deterministic risk scoring and OPA policy. Anything above 0.75 is routed to HITL by default, and every executed action is reversible within its grace period (Salesforce: 30 days; Okta/M365: immediate reactivation via audit replay).
Starter is month-to-month with a Stripe subscription. Business is an annual contract with quarterly billing available. Enterprise is a one- to three-year MSA with a data processing addendum and optional BAA. All tiers include a mutual NDA, a SOC 2 report (when applicable), and our incident response commitment.
Not publicly, but the first three design partners every quarter get ninety days free. Apply for a pilot.
Bring a BambooHR or Workday sandbox and one non-critical Okta tenant. We'll wire them up live, parse a Slack message, and walk you through the audit log at the end. If it doesn't click in the first ten minutes, we both move on.