pricing

Runs in your cloud.
Priced per employee.

Every tier deploys into infrastructure you own — your credentials never leave your environment. Run it yourself, or have us deploy and operate it for you. No per-action fees; you pay for the headcount under management.

Self-Host

You deploy the stack into your own cloud with one command.

$ 5 / employee / mo
  • Unlimited lifecycle actions (joiner · mover · leaver)
  • All built-in connectors
  • Multi-HRIS · custom Rego policies
  • Slack approvals (HITL)
  • Tamper-evident audit log
  • One-command deploy + upgrades
  • You bring your own Gemini API key
  • Email + community support
Start self-hosting
min. 25 employees · annual
Done-for-You

We deploy and operate it inside your cloud account. You never touch a terminal.

Talk to us
  • Everything in Self-Host
  • We deploy into your cloud
  • We run upgrades + on-call ops
  • Gemini API key included
  • Multi-approver workflows
  • Onboarding + SLA
  • Priority support
Book a demo
min. 50 employees · setup fee + annual
Enterprise

Hard compliance, custom policy packs, dedicated support.

Custom
  • Everything in Done-for-You
  • Multi-region deploy
  • Customer-managed Vault keys
  • Custom OPA policy packs
  • SSO for admins (SAML · OIDC · SCIM)
  • Named solution architect
  • DPA · BAA · custom contracts
  • SOC 2 Type 2 · ISO 27001
Talk to sales
contact for commercials

What does Self-Host cost for your team?

live estimate
252,000
3%40%

Estimate is for Self-Host at $5/employee/mo. Done-for-You is scoped per engagement — book a demo for a quote.

Monthly cost
$750billed monthly
Annual cost
$9,000150 × $5 × 12
Licenses reclaimed / yr
$63,94222 offboards × $2,842
Return on spend
7.1×payback in ~2 months
Strong fit. You reclaim more than 4× your platform cost — every month after month two is pure savings.
Compare Self-Host Done-for-You Enterprise
Runs in Your cloud Your cloud Your cloud · multi-region
Who deploys + operates You We do We do
Credentials leave your env Never Never Never
Gemini API key You bring Included Included
Portal connectors All built-in All built-in All · custom
OPA policy authoring Custom Rego Custom Rego Custom policy packs
Audit log retention You control You control You control · export tooling
HITL multi-approver single approver
SSO for admins roadmap roadmap SAML · OIDC · SCIM
SOC 2 / ISO 27001 Controls implemented; certification on the roadmap — not yet held
Upgrades You run --upgrade We run them We run them
Support Email + community Priority + SLA Named architect
Minimum seats 25 50 Negotiated
questions

The ones we get every week.

Wait — everything is self-hosted now?

Yes. The whole stack runs in your cloud account, on every tier. The only choice is who operates it: Self-Host, where you run the one-command deploy yourself, or Done-for-You, where we deploy and operate it inside your account. There is no shared SaaS that holds your data — that's the point.

What's the difference between Self-Host and Done-for-You?

Same software, same bytes — different labor. Self-Host is a versioned set of Docker images plus a one-command deploy script you run against your own cloud; you bring your own Gemini API key. Done-for-You is us doing the deploy, the upgrades, and the on-call ops inside your account, with the Gemini key included and an SLA. Your IAM credentials stay in a Vault in your infrastructure either way.

If it's in our cloud, how do you bill per employee?

Headcount is self-reported from your HRIS and trued up annually in your order — the same honor-plus-contract model used by self-managed enterprise software everywhere. Contractors and part-time staff in HRIS count; people you've already terminated don't. No per-action fees: you pay for the surface area under management, not each provision, move, or revocation.

Do you ever see our data or credentials?

No. Every deployment runs in infrastructure you own, and long-lived tokens stay in a Vault we deploy into your account. On Done-for-You we have operational access to run and upgrade it — and you can revoke that access at any time. We never hold your credentials in our own infrastructure.

Do you resell or mark up the portal APIs we connect?

No. The deployment calls Okta, Microsoft Graph, Salesforce, and the rest using your credentials, from your own cloud. We pay nothing to them and neither do you for the calls. Your existing license agreements are unchanged.

How do you handle the "AI got it wrong" case?

The AI only parses — it never decides. Every action goes through deterministic risk scoring and OPA policy. Anything above 0.75 is routed to HITL by default, and every executed action is reversible within its grace period (Salesforce: 30 days; Okta/M365: immediate reactivation via audit replay).

What's the contract look like?

Self-Host is an annual license with image-registry access. Done-for-You adds a one-time setup fee and an operations agreement with an SLA. Enterprise is a one- to three-year MSA with a data processing addendum and optional BAA. All tiers include a mutual NDA and our incident-response commitment. SOC 2 / ISO 27001 controls are implemented; the certifications are on our roadmap and not yet held.

Is there a pilot?

Yes — the first design partners each quarter get a hands-on pilot. Request a pilot.

Twenty minutes to see it run on your stack.

Bring a BambooHR or Workday sandbox and one non-critical Okta tenant. We'll wire them up live, parse a Slack message, and walk you through the audit log at the end. If it doesn't click in the first ten minutes, we both move on.