Only authenticated users within a customer’s tenant can view customer data in Orgvue. By default, Orgvue employees do not maintain any access to customer data. The only mechanism for Orgvue employees to view Orgvue customer data is for the customer to create a user account for an Orgvue employee within their tenant.
Orgvue sub-processors are published at Orgvue sub-processors | Orgvue Of these:
Amazon Web Services provides hosting services only and has no access to Orgvue customer data
Pendo may have access to Orgvue user email addresses. This processing of Orgvue customer email addresses is disabled by default and enabled only in combination with Orgvue customer authorization, which is managed through the Data Processing Agreement.
Yes, Orgvue supports and strongly recommends the use of Single Sign-On (SSO). SAML 2.0 is supported.
While Orgvue does not natively support MFA, this is by design as Orgvue’s preference is for our customers to manage their own authentication controls. Customers can extend MFA to Orgvue in combination with Single Sign-On, where a customer supports SSO + MFA internally within their own organization.
While we strongly recommend Single Sign-On (SSO) for Orgvue authentication, local password authentication is supported with the following policy:
Minimum 8 character passwords
At least one alpha and at least one numeric or special character
Automatic password expiration is not supported
Customers are responsible for managing access control to their Orgvue environments. In managing access control, Orgvue customers are responsible for account creation, disablement and access reviews, in line with their own standard Joiner Mover Leaver processes. This is also outlined in the agreement through clauses 6.8 - 6.12 of the Orgvue security provisions | Orgvue
Yes, Role-Based Access Control (RBAC) is supported within the Orgvue application.
Within the AWS infrastructure environment, IAM (Identity and Access Management) is used with strict policies for segregation of duty, with the principle of least privilege carefully addressed to control Orgvue administrator access to underlying AWS infrastructure. Multi-Factor Authentication has been implemented for all privileged access by Orgvue administrators.
From an Orgvue organizational perspective, access control is formally governed though the Orgvue Access Control Policy and complemented by the Orgvue Password Policy. Multi-Factor Authentication is in place for Orgvue company Active Directory authentication. Departing Orgvue employee accounts are disabled on date of departure. The principle of least privilege is enforced throughout the organization and maintained through regular application access reviews.