CONTROL PLANE
Version 1.0 — In Development
CONTROL PLANE.

An enterprise governance platform providing centralised access control, policy management, and compliance visibility across multi-tenant organisational structures — layered above your existing infrastructure.

Try Live Demo Request Early Access
Policy Management Access Control Audit & Compliance Identity Integrations Multi-Tenant SOC2 · ISO 27001
POLICY ENGINE ACCESS CONTROL AUDIT TRAILS COMPLIANCE VISIBILITY MULTI-TENANT ENTERPRISE GOVERNANCE POLICY ENGINE ACCESS CONTROL AUDIT TRAILS COMPLIANCE VISIBILITY MULTI-TENANT ENTERPRISE GOVERNANCE
Overview Architecture Components Security Integrations Deployment Interface Early Access
01 — Overview

Govern Without
Disrupting.

Control Plane sits above your existing infrastructure, imposing governance without requiring migration. Define policies once, enforce them everywhere.

01
Policy-Driven

Define granular access and resource policies in a single place. Apply them across every tenant, application, and user role without touching individual systems. Policy changes propagate instantly across the entire governance hierarchy.

02
Real-Time Visibility

Every access event, policy evaluation, and resource action is captured and queryable in real time. Compliance dashboards surface violations, anomalies, and approval workflows without manual log trawling.

03
Provider-Agnostic

Designed to layer above AWS, Azure, GCP, on-premise systems, and SaaS applications alike. No vendor lock-in at the governance layer — integrate once, govern everything.

04
Multi-Tenant by Design

Strict organisational isolation with cross-tenant visibility for platform administrators. Each tenant maintains full data separation while the platform owner retains governance oversight across all tenants simultaneously.

02 — Architecture

System
Architecture.

Five distinct layers, each with clear responsibilities. The platform is designed for horizontal scalability and provider-agnostic deployment.

Presentation Web UI · Mobile Interfaces · Admin Dashboards
API Gateway RESTful API · Auth · Rate Limiting · Routing
Application Policy Engine · Access Control · Audit Logging · Compliance
Integration Identity Connectors · Storage Connectors · Adapters
Data Relational Database · Distributed Cache · Audit Log Storage
Multi-Tenancy

Complete data isolation between tenants enforced at the database and API layers. Each tenant operates in a logically separate namespace with scoped credentials, policies, and audit trails.

  • Row-level security on all tenant data
  • Scoped API keys per tenant
  • Independent policy namespaces
  • Cross-tenant admin visibility with audit trail
Scalability

Stateless application tier scales horizontally. Cache layer absorbs read traffic. Async audit event queue decouples logging from request latency.

  • Horizontal scaling via container orchestration
  • Distributed cache for policy evaluation
  • Async event queue for audit logging
  • Multi-AZ deployment with automated failover
03 — Components

Core
Components.

Four primary subsystems, each independently maintainable and extensible. Every component exposes a public API for integration.

01
Policy Engine

The central policy evaluation and enforcement layer. Evaluates access decisions in real time using a declarative rule system. Supports hierarchical policy inheritance across org, tenant, team, and user levels.

  • Declarative Rules
  • Hierarchical Inheritance
  • Real-Time Evaluation
  • Policy Templates
  • Version Control
  • Conflict Resolution
02
Access Control

Role-based and attribute-based access control across all platform resources. Supports fine-grained permission sets, temporary escalations, and delegated access workflows.

  • RBAC / ABAC
  • Permission Sets
  • Temporary Escalation
  • Delegated Access
  • MFA Enforcement
  • Session Management
03
Audit & Compliance

Immutable audit log capturing every access event, policy evaluation, and administrative action. Structured for SOC2, ISO 27001, and POPIA compliance reporting with automated evidence generation.

  • Immutable Audit Log
  • Compliance Reports
  • Automated Evidence
  • Anomaly Detection
  • Retention Policies
  • Export & eDiscovery
04
Resource Governance

Track, categorise, and enforce policies on all governed resources. Supports tagging, quota management, cost attribution, and resource lifecycle controls.

  • Resource Registry
  • Tagging & Taxonomy
  • Quota Management
  • Cost Attribution
  • Lifecycle Controls
  • Dependency Mapping
04 — Security

Security
Posture Tiers.

Three configurable security tiers aligned to organisational risk profiles. Government tier meets SABS, POPIA, and ISO 27001 requirements.

Control Standard Enhanced Government
Password Policy 8 char, complexity 12 char, complexity + history 16 char, full complexity, 90-day rotation
MFA Optional Required for admin roles Required for all users
Session Timeout 8 hours 4 hours 1 hour (idle) / 8 hours (absolute)
Device Trust Not required Registered devices preferred Managed devices required
Audit Retention 90 days 1 year 7 years (immutable)
Encryption TLS 1.2+, AES-256 at rest TLS 1.3, AES-256, key rotation TLS 1.3, HSM-backed keys, FIPS 140-2
05 — Integrations

Integration
Architecture.

Pre-built connectors for the most common identity and storage providers. Custom connectors available via the Adapter SDK.

Identity Providers
  • 01 Microsoft Entra ID (Azure AD) Phase 1
  • 02 Google Workspace Phase 1
  • 03 Okta Phase 2
  • 04 AWS IAM Identity Center Phase 2
  • 05 LDAP / Active Directory Phase 3
Storage Providers
  • 01 Amazon S3 Phase 1
  • 02 Azure Blob Storage Phase 1
  • 03 Google Cloud Storage Phase 2
  • 04 SharePoint / OneDrive Phase 2
  • 05 On-Premise NFS / SMB Phase 3
06 — Deployment

Deployment
Models.

Three deployment options to match your infrastructure posture and regulatory requirements.

Recommended
SaaS

Fully managed. We handle infrastructure, updates, backups, and scaling. Fastest path to production — live in hours.

  • No infrastructure to manage
  • Automatic updates and patches
  • Multi-AZ by default
  • Shared responsibility model
  • 99.9% SLA included
Enterprise
Private Cloud

Deployed into your AWS, Azure, or GCP account. You own the data plane. We manage the control plane updates via automated pipeline.

  • Data residency compliance
  • Your VPC, your keys
  • Managed update pipeline
  • Custom network topology
  • Dedicated support tier
Government
On-Premise

Air-gapped deployment on your own hardware. No external network calls. Manual update process with cryptographic release verification.

  • No external network dependencies
  • HSM key management supported
  • Full FIPS 140-2 compliance
  • Manual release approval process
  • On-site deployment assistance
Multi-AZ
Default Topology
15 min
Recovery Point Objective
4 hr
Recovery Time Objective
60 sec
Automated Failover
07 — Interface

Platform
Interface.

Six primary views, each purpose-built for a governance workflow. No generic dashboards — every interface surfaces exactly the data operators need.

Governance Dashboard

Real-time overview of policy health, access events, active sessions, and compliance posture across all tenants. Surfaced as operator-grade data, not marketing charts.

Policy Management

Create, version, and deploy access policies. Visual conflict resolver highlights overlapping rules before deployment. Full history and rollback support.

Access Map

Graph-based visualisation of the full permission hierarchy. Click any user, role, or resource to inspect its access path and trace exactly how a permission was granted.

Compliance Dashboard

Framework-mapped compliance posture for SOC2, ISO 27001, and POPIA. Automated evidence collection with export-ready audit packages for assessors.

User & Role Management

Bulk user provisioning, role assignment, and access review workflows. Integrates with upstream identity providers — users are sourced from your directory, governed here.

Audit Log Viewer

Structured, filterable, tamper-evident audit trail. Full-text search across all event fields. Exportable to SIEM, CSV, and compliance tooling.

Scope & Boundaries

What It Is.
What It's Not.

Control Plane is a governance layer, not a replacement for your existing infrastructure. Understanding the boundary matters.

This Is For You If

You operate complex, multi-tenant infrastructure and need a consistent governance layer above it.

  • You manage access for 50+ users across multiple systems
  • You need a single audit trail across disparate platforms
  • You require compliance evidence for SOC2, ISO 27001, or POPIA
  • You operate a multi-tenant SaaS product and need tenant isolation
  • You have regulatory or government security tier requirements
  • You want to enforce policy without migrating existing infrastructure

This Is Not

Control Plane does not replace your identity provider, cloud infrastructure, or existing security tools.

  • Not a replacement for your identity provider (Azure AD, Okta)
  • Not a cloud provider — we govern cloud, we don't replace it
  • Not a SIEM — we integrate with SIEMs, we don't replace them
  • Not a firewall or network security tool
  • Not designed for single-user or personal use cases
  • Not a generic project management platform

See It
In
Action.

Click through the live demo — switch roles, trigger access controls, and explore the full governance hierarchy. No login required.

Try Live Demo →