The controls your security team puts on every RFP. Already built.
SSO, automated provisioning, IP allow-listing, real-time SIEM streaming, one-click access reviews and a separate database for every site. One platform for multi-site operations, with the governance an enterprise expects on day one.
One platform to run multi-site operations securely.
Access managed by hand doesn't scale past the tenth site.
Your directory decides who gets in. ocapii connects to Google Workspace, Microsoft Entra ID, Okta or any OpenID Connect provider, so sign-in, MFA and site access are governed by the systems your IT team already runs.
What ocapii does here
- Single sign-on through your own identity provider, with your own MFA and no proprietary sign-in
- SCIM 2.0 provisioning: joiners, movers and leavers synced automatically, with access revoked in seconds
- Directory groups map to roles and site access, so permissions live in your IdP, not a spreadsheet
- Front-line staff without email keep working on secure, audit-logged PINs
Your security standards shouldn't stop at your own systems.
Set your security policy once at HQ and every site inherits it: password rules, session lifetimes, network restrictions and lockout behaviour, enforced across the estate without per-site setup.
What ocapii does here
- IP allow-listing restricts web and mobile access to your office or VPN ranges
- Account lockout after failed attempts, with deliberate admin-controlled recovery
- Modern password policy: history, complexity and forced rotation on risk events
- One click signs a user out everywhere: every session ended, every mobile token revoked
"How is our data separated from other customers?" deserves a structural answer.
Every site runs in its own database, with file storage segregated per tenant on Google Cloud. Isolation is architecture, not a policy promise.
What ocapii does here
- A separate database for every customer site, not row-level separation in a shared schema
- Each site on its own subdomain with tenant-aware routing, caching and queues
- Encrypted in transit and at rest, with credentials and secrets hashed or encrypted throughout
- A documented, structured path for your data to leave if you ever do
If your SOC can't see it, it didn't happen.
Every security-relevant action is recorded, attributed to an authenticated identity and streamed to your own tooling as it happens. Evidence is built continuously, not assembled on request.
What ocapii does here
- Real-time SIEM streaming: every audit event to your webhook, cryptographically signed, retried automatically
- One-click access reviews showing who has access to what, right now, with CSV and API export
- Self-service audit log exports with date and category filters
- Mobile sign-ins tracked too, so the deskless workforce is never a blind spot
Fifty sites shouldn't mean fifty versions of the truth.
One HQ console governs users, policies and content across every venue. Publish once, and every site runs the same checks, forms and workflows, with version history and rollback.
What ocapii does here
- Users, roles, SSO and security policy managed once at HQ, inherited everywhere
- Governed content distribution with versioning, rollback and sync-to-latest
- Cross-site dashboards compare, rank and trend every site in one view
- Eleven languages including right-to-left, with white-labelling for groups and partners
Most enterprises stay on systems they've outgrown because moving feels risky.
The Data Hub migrates your users, suppliers, submissions and temperature history from your current platform: mapped, validated, error-reported at row level, and reversible.
What ocapii does here
- Structured migration from CSV, XLSX or JSON with automatic column mapping and validation
- Sandbox training sites for train-the-trainer and UAT, resettable in one click
- Self-serve SSO setup with a live connection test and exact pass/fail reporting
- Managed enterprise onboarding, phased site by site
The detail behind the checkboxes
Security reviews are won in the small print. These are the answers reviewers usually have to chase.
Granular RBAC
Over 200 named permissions across every module, managed once at HQ and inherited by every site, and admins can only ever grant permissions they hold themselves.
No silent account creation
SSO never creates accounts: only users you provisioned can sign in, and domain allow-lists control which company accounts are ever accepted.
Break-glass admin access
If your identity provider goes down, designated admin access survives the outage, so enforcing SSO never means locking yourself out.
Mobile SSO, done properly
The mobile apps sign in through the system browser with PKCE token exchange, the pattern Apple and Google recommend, so no embedded webview ever handles a credential.
Controlled support impersonation
Support access to your sites is permission-gated, hard-blocked from cross-tenant shortcuts, and every use is recorded in the audit log.
Immutable audit grades
Audit submissions snapshot their grading scheme at completion, so changing a scheme later never rewrites history.
Bring your security team
The fastest way to evaluate ocapii is to put it in front of the people who will review it. We will walk through identity, isolation, audit and governance in detail, on your questions.
The questions your IT team will ask
Yes. Ocapii supports SSO over OpenID Connect with Google Workspace, Microsoft Entra ID, Okta, OneLogin, Ping, Auth0, Keycloak and any other OIDC provider, on web and mobile. You can enforce SSO and switch password sign-in off entirely.
Every customer site runs in its own database, with file storage segregated per tenant on Google Cloud. Isolation is structural, not a policy promise. Data is encrypted in transit and at rest.
If you use SCIM provisioning, deactivation in your directory removes their access within seconds: web sessions end and mobile tokens are revoked on every device, across every site. Admins can also sign any user out everywhere in one click.
Yes. Every audit event streams to your webhook in real time, cryptographically signed with a rotatable secret and retried automatically. It plugs into Splunk, Microsoft Sentinel or any tooling that accepts a webhook.
Ocapii's security controls are designed to support ISO 27001 and SOC 2 Type II programmes, and both are in progress. The access control, audit logging and monitoring capabilities on this page are built as evidence for those programmes.
No. Staff without email sign in to the mobile apps with secure, admin-controlled PINs that are audit-logged and unaffected by SSO enforcement. The whole workforce is covered, desk or no desk.
Yes. ocapii provides versioned, token-based API access with scoped and expiring tokens, including a JSON endpoint for access-review data so your compliance tooling can consume it directly.