Enterprise

The controls your security team puts on every RFP. Already built.

SSO, automated provisioning, IP allow-listing, real-time SIEM streaming, one-click access reviews and a separate database for every site. One platform for multi-site operations, with the governance an enterprise expects on day one.

OIDC + SCIM 2.0Standards-based identity, no proprietary sign-in
A database per siteIsolation by architecture, not by policy
Signed SIEM feedEvery security event, streamed in real time
11 languagesIncluding right-to-left, per-user preference
ocapii
Welcome back
Sign in to your ocapii account to pick up where your operations left off.
Work email
PasswordForgot password?
Your password**********
Keep me signed in
Sign in
OR
Continue with Google Workspace SSO
Email me a sign-in link instead
© 2026 ocapii · Master your operations.
Enterprise controls

One platform to run multi-site operations securely.

Identity & access

Access managed by hand doesn't scale past the tenth site.

Your directory decides who gets in. ocapii connects to Google Workspace, Microsoft Entra ID, Okta or any OpenID Connect provider, so sign-in, MFA and site access are governed by the systems your IT team already runs.

What ocapii does here

  • Single sign-on through your own identity provider, with your own MFA and no proprietary sign-in
  • SCIM 2.0 provisioning: joiners, movers and leavers synced automatically, with access revoked in seconds
  • Directory groups map to roles and site access, so permissions live in your IdP, not a spreadsheet
  • Front-line staff without email keep working on secure, audit-logged PINs
ocapii
Welcome back
Sign in to your ocapii account to pick up where your operations left off.
Work email
PasswordForgot password?
Your password**********
Keep me signed in
Sign in
OR
Continue with Google Workspace SSO
Email me a sign-in link instead
© 2026 ocapii · Master your operations.
13
Your Teams/Departments
10
Entries Per Page
Create
Reset Reload
Search…
TEAM/DEPARTMENT
HEAD COUNT
ACTION
User
1
Actions
Site Manager
0
Actions
Site Admin
9
Actions
Org Admin
2
Actions
Maintenance
0
Actions
Front Of House (FOH)
6
Actions
Back Of House (BOH)
0
Actions
Auditor
0
Actions
13
Organisation Security Policy
Minimum password length
8
Platform floor is 8. Complexity (upper/lower/number/symbol) always applies.
Disallow reuse of last … passwords
2
Password max age (days)
disabled
Force a password change when a password is older than this at sign-in. Leave blank to disable (recommended by NIST). SSO and PIN sign-ins are unaffected.
Password composition
Choose which character classes every password must contain. The minimum length floor of 8 always applies. Defaults match previous behaviour (all four required).
Require an uppercase letter (A–Z)
Require a lowercase letter (a–z)
Require a number (0–9)
Require a symbol (e.g. ! @ # $ %)
Block known-breached passwords (checked against HaveIBeenPwned)
Rejects passwords found in public data breaches at save time. Checked server-side only.
Web session lifetime (minutes)
platform default
Applies to HQ and all child sites. Leave blank for the platform default.
Max concurrent web sessions
unlimited
Per user. A new sign-in beyond the limit signs out the oldest session. Leave blank for unlimited.
IP allow-list
11*****
Dashboard
YOUR STAFF
User Manageme…
User
Roles
Single Sign-On
Security Policy
Access Review
YOUR SITES
Site Manageme…
YOUR CHECK LISTS
Forms
Analytics
MONITORING
13
Access Review
Certification Campaigns
Start Campaign
Export CSV
Who has access to what, across your whole organisation — generated 2026-07-07 13:49. Export the CSV for your compliance records.
USER
ROLE
STATUS
SITE ACCESS
LAST SIGN-IN
LAST MOBILE SIGN-IN
SIGN-IN METHODS
MOBILE TOKENS
FOH User
example1@123test.com
Front Of House (FOH)
Active
Oxford Circus, Victoria, Baker Street, Waterloo, King's Cross, Piccadilly Circus
never
never
Password
4
Org Admin
example1@123test.com
Org Admin
Active
All sites (admin)
5 minutes ago
never
SSO
0
Site Admin
example1@123test.com
Site Admin
Active
Victoria
2 hours ago
2 hours ago
SSO
1
Estate Admin
example1@123test.com
Admin
Active
All sites (admin)
3 weeks ago
never
Password
3
Child Site User
example1@123test.com
User
Active
Oxford Circus, Victoria, Baker Street, Waterloo, King's Cross, Piccadilly Circus
never
never
Password
0
ocapii
Signing in with SSO…
Platform capabilities

The detail behind the checkboxes

Security reviews are won in the small print. These are the answers reviewers usually have to chase.

Granular RBAC

Over 200 named permissions across every module, managed once at HQ and inherited by every site, and admins can only ever grant permissions they hold themselves.

No silent account creation

SSO never creates accounts: only users you provisioned can sign in, and domain allow-lists control which company accounts are ever accepted.

Break-glass admin access

If your identity provider goes down, designated admin access survives the outage, so enforcing SSO never means locking yourself out.

Mobile SSO, done properly

The mobile apps sign in through the system browser with PKCE token exchange, the pattern Apple and Google recommend, so no embedded webview ever handles a credential.

Controlled support impersonation

Support access to your sites is permission-gated, hard-blocked from cross-tenant shortcuts, and every use is recorded in the audit log.

Immutable audit grades

Audit submissions snapshot their grading scheme at completion, so changing a scheme later never rewrites history.

Bring your security team

The fastest way to evaluate ocapii is to put it in front of the people who will review it. We will walk through identity, isolation, audit and governance in detail, on your questions.

FAQ

The questions your IT team will ask

Yes. Ocapii supports SSO over OpenID Connect with Google Workspace, Microsoft Entra ID, Okta, OneLogin, Ping, Auth0, Keycloak and any other OIDC provider, on web and mobile. You can enforce SSO and switch password sign-in off entirely.

Every customer site runs in its own database, with file storage segregated per tenant on Google Cloud. Isolation is structural, not a policy promise. Data is encrypted in transit and at rest.

If you use SCIM provisioning, deactivation in your directory removes their access within seconds: web sessions end and mobile tokens are revoked on every device, across every site. Admins can also sign any user out everywhere in one click.

Yes. Every audit event streams to your webhook in real time, cryptographically signed with a rotatable secret and retried automatically. It plugs into Splunk, Microsoft Sentinel or any tooling that accepts a webhook. 

Ocapii's security controls are designed to support ISO 27001 and SOC 2 Type II programmes, and both are in progress. The access control, audit logging and monitoring capabilities on this page are built as evidence for those programmes.

No. Staff without email sign in to the mobile apps with secure, admin-controlled PINs that are audit-logged and unaffected by SSO enforcement. The whole workforce is covered, desk or no desk.

Yes. IP allow-listing restricts web and mobile access to the addresses or CIDR ranges you specify, per organisation, with a safeguard that stops admins locking themselves out.

Yes. ocapii provides versioned, token-based API access with scoped and expiring tokens, including a JSON endpoint for access-review data so your compliance tooling can consume it directly.