Orgvue Access Control

Owned by Paul Coleman
Last updated: 11 Nov 2022

Who can see my data in Orgvue?

Only authenticated users within a customer’s tenant can view customer data in Orgvue. By default, Orgvue employees do not maintain any access to customer data. The only mechanism for Orgvue employees to view Orgvue customer data is for the customer to create a user account for an Orgvue employee within their tenant.

Can Orgvue’s suppliers see my data in Orgvue?

Orgvue sub-processors are published at Orgvue sub-processors | Orgvue Of these:

  • Amazon Web Services provides hosting services only and has no access to Orgvue customer data

  • Pendo may have access to Orgvue user email addresses. This processing of Orgvue customer email addresses is disabled by default and enabled only in combination with Orgvue customer authorization, which is managed through the Data Processing Agreement.

Does Orgvue support Single Sign-On (SSO)?

Yes, Orgvue supports and strongly recommends the use of Single Sign-On (SSO). SAML 2.0 is supported.

Does Orgvue support Multi-Factor Authentication (MFA)?

While Orgvue does not natively support MFA, this is by design as Orgvue’s preference is for our customers to manage their own authentication controls. Customers can extend MFA to Orgvue in combination with Single Sign-On, where a customer supports SSO + MFA internally within their own organization.

What is the password policy for Orgvue?

While we strongly recommend Single Sign-On (SSO) for Orgvue authentication, local password authentication is supported with the following policy:

  • Minimum 8 character passwords

  • At least one alpha and at least one numeric or special character

  • Automatic password expiration is not supported

Who is responsible for managing access control to customer Orgvue tenants?

Customers are responsible for managing access control to their Orgvue environments. In managing access control, Orgvue customers are responsible for account creation, disablement and access reviews, in line with their own standard Joiner Mover Leaver processes. This is also outlined in the agreement through clauses 6.8 - 6.12 of the Orgvue security provisions | Orgvue

Does Orgvue support Role-Based Access Control (RBAC)?

Yes, Role-Based Access Control (RBAC) is supported within the Orgvue application.

Orgvue is hosted on AWS, how is access to AWS infrastructure controlled for Orgvue employees and across the Orgvue organization?

Within the AWS infrastructure environment, IAM (Identity and Access Management) is used with strict policies for segregation of duty, with the principle of least privilege carefully addressed to control Orgvue administrator access to underlying AWS infrastructure. Multi-Factor Authentication has been implemented for all privileged access by Orgvue administrators.

From an Orgvue organizational perspective, access control is formally governed though the Orgvue Access Control Policy and complemented by the Orgvue Password Policy. Multi-Factor Authentication is in place for Orgvue company Active Directory authentication. Departing Orgvue employee accounts are disabled on date of departure. The principle of least privilege is enforced throughout the organization and maintained through regular application access reviews.