Organisation
Organisation
Section titled “Organisation”An Organisation is the root tenant.
It's the legal/billing unit the customer signs up as. Owns Teams, which own Projects, which own Agents. Sets the org-level Policy floor that cascades down. Holds billing, SSO config, default settings.
Everything else is scoped under one Organisation.
At a glance
Section titled “At a glance”| Owns | Teams, billing relationship, SSO config, BYOK credentials, default Policy |
| Identified by | org_id (UUID); short-slug for human reference |
| Created via | self-serve signup, sales-onboarded provisioning, or OEM tenant carve-out |
| Status | now |
Where it sits
Section titled “Where it sits”Organisation (root tenant) │ ├── Teams (people groupings, SSO-backed) │ │ │ └── Projects (workspace groupings, with their own Policy floor) │ │ │ └── Agents (the running code being governed) │ ├── Billing relationship ├── SSO / Identity Provider config ├── BYOK / Vault credentials └── Org-level Policy floor (cascades down through Project → Agent)What an Organisation owns
Section titled “What an Organisation owns”| Concern | Where it lives on the Organisation |
|---|---|
| Identity | Identity — SSO IdP, default API key issuance policy |
| Cost | Billing plan, spend caps, cost-center allocation |
| Compliance | Default Compliance pack attachment, regulatory scope |
| Branding | OEM/white-label settings (if applicable) |
| Vault | BYOK credentials shared across the org |
| Policy floor | Org-level Policy that every Project + Agent inherits via Cascade |
Why this is its own concept
Section titled “Why this is its own concept”Most TapPass concepts are scoped within an organisation. The Organisation itself is the boundary that makes multi-tenancy meaningful: data segregation, billing aggregation, identity scoping, default-policy authority.
It's also the unit OEM partners can carve up — a single TapPass deployment can host many Organisations, each with its own branding, vault backend, detection backends, and policy presets.
Lifecycle
Section titled “Lifecycle”[create] Self-serve signup OR sales/OEM provisioning → org_id minted ↓[setup] SSO connected · BYOK credentials added · default policy attached ↓[populate] Teams created · Projects created · Agents onboarded ↓[operate] Day-to-day governance happens within the org ↓[archive] Org soft-archived; data retained per retention policy; no new sessionsSurfaces
Section titled “Surfaces”| Persona | Surface | What they do |
|---|---|---|
| Org owner | Settings → Organisation | Edit metadata, billing, SSO, default policy |
| Operator | (implicit) | Every action implicitly scoped to the org they belong to |
| OEM partner | Tenant admin UI | Provision/manage many Organisations within one TapPass deployment |
Related concepts
Section titled “Related concepts”- owns → Team, Project, Identity, Compliance pack, Cascade (root level)
- boundary for ↑ all other concepts (multi-tenancy boundary)