New Sciple is live. Connect your AWS in 10 minutes and explore the platform with a sandbox workspace. Book a demo
sciple

Security & access

Security features your engineers actually use.

Sciple ships the access controls, audit trail, and AWS Secrets Manager-backed credentials as first-class product features. They are how engineers get things done, not extra steps they have to remember.

What is inside

Six security surfaces. One model.

Every security capability is shipped today and is documented in the platform docs. Pick one to see how it works.

Single sign-on

OIDC SSO, configurable per workspace.

Wire Sciple into Okta, Entra ID, Google Workspace, or any OIDC-compliant provider. Each workspace configures its own provider, claims mapping, and session duration. Local username and password login stays available for emergency access and break-glass. API keys for service accounts are issued separately and scoped to specific permission groups, so machine-to-machine integrations do not need a human credential to operate.

  • OIDC providers, configurable per workspace
  • Okta, Entra ID, Google Workspace, Auth0, or any OIDC IdP
  • Local username and password login for break-glass
  • API keys for service accounts, scoped per group
  • Per-workspace session duration and claims mapping
Talk to security

Groups & permissions

Permissions you can read on one screen.

Permissions are not strings scattered across the codebase. They are named, registered, and grouped into named groups. Onboarding a new role is a checkbox list, not a SQL migration. Every module checks the same permission set.

  • Viewing and managing services
  • Viewing cloud resources, plus connecting accounts
  • Browsing Kubernetes clusters and resources
  • Viewing credentials without exposing values
  • Revealing or managing secret values
  • Designing pipelines and approving deployments
  • Configuring workspace settings and branding
  • Platform-wide administration
Talk to security

Credentials store

One view for every credential. Values stay in your AWS account.

Sciple covers every credential kind your team operates against, including passwords, SSH keys, TLS certificates, GPG keys, API tokens, OAuth2 clients, kubeconfig, service account tokens, container registry credentials, GitHub Apps and source-control PATs, AWS access keys and IAM roles, Azure service principals, GCP service accounts, database connection strings, Slack and Teams bot tokens, webhook signing secrets, LDAP bind credentials, and license keys. The secret values live in AWS Secrets Manager. Sciple holds the reference, the expiry, the rotation schedule, and the ownership. Other modules reference a credential by identifier, never by value.

  • Expiry date for proactive rotation
  • Last rotation timestamp for hygiene reports
  • Owner for accountability
  • How many integrations reference each credential
  • Notifications when a credential nears renewal
  • Clean audit trail of every value change
  • Reference by identifier, never by value
Talk to security

Audit trail

Every mutation. Same transaction. No gaps.

Every create, update, and delete in the platform writes an audit event in the same database transaction as the change itself. If the audit write fails, the change rolls back. The audit log and the state of the world can never disagree. Sensitive values are never written to audit metadata. Auditors get a complete, ordered, greppable timeline of who did what, when, against which resource, with the before-and-after snapshot.

  • The acting principal, whether a user or an API key
  • The action name, namespaced by resource type
  • The target resource and its identifier
  • Before-and-after snapshots, with secrets redacted
  • Timestamp and the workspace in which the action ran
  • Audit identifier returned in the API response
  • Same transaction as the change, so it never drifts
Talk to security

Data isolation

Workspace boundaries the database enforces.

Every read happens inside the caller's workspace. There is no admin shortcut that bypasses workspace scoping, even for Sciple support. Your data is yours, and your workspace is sealed. Secrets live in AWS Secrets Manager, so your secrets stay in your AWS account, and Sciple only holds the reference. The logging layer reads field classification tags and redacts secrets automatically.

  • Strict workspace isolation enforced at the query layer
  • No cross-workspace reach, even for Sciple support
  • Secret values stored in your AWS Secrets Manager
  • Logging layer auto-redacts secrets by classification tag
  • Read paths return only data inside the caller's workspace
Talk to security

Compliance posture

The features above map to the controls your auditors ask about.

Sciple is designed and operated to align with SOC 2 and ISO 27001 controls. The controls matrix maps each security feature to its relevant SOC 2 and ISO 27001 control. A formal SOC 2 Type II audit is on the roadmap. Under NDA we can share the controls matrix, the sub-processor list, and the standard CAIQ and SIG-Lite questionnaires.

  • Controls matrix mapped to SOC 2 and ISO 27001
  • Sub-processor list, available under NDA
  • Standard CAIQ and SIG-Lite security questionnaires
  • Architecture overview and data flow diagram
  • Pen test summary, current year
  • SOC 2 Type II audit on the roadmap
Talk to security

Want to walk through the access model?

We will share the controls matrix, the audit model, and how credentials and secrets are routed to AWS Secrets Manager.

Request a security review Read the docs