Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.provisionr.io/llms.txt

Use this file to discover all available pages before exploring further.

Who Growth Is For

Growth runs your Provisionr workspace on serverless GCP infrastructure using Cloud Run containers that scale to zero when idle. You get pay-as-you-grow pricing starting at $100/mo for up to 100 policies, with no cap — add more as you automate more groups.
Get started for free with the Free Plan with up to 10 active policies and on-demand sync on the same isolated GCP infrastructure as Growth.
Growth offers the same tenant isolation, security controls, and compliance certifications (SOC 2 Type II, ISO 27001, HIPAA) as Scale and Sovereign. The differences are the cloud provider, sync frequency, and serverless compute model. Growth is the right choice if your organization requires:
  • Cost-efficient, pay-as-you-grow pricing with no minimum commitment
  • GCP infrastructure in one of 8 global regions
  • Daily scheduled sync with on-demand sync available anytime via CLI
  • Self-service sign-up — create your workspace in Workspace HQ and start building policies immediately
  • Fully managed infrastructure with no cloud expertise required from your team

Plan Comparison

GrowthScaleSovereign
Pricing$100 per
100 policies		$2,000/mo Flat~$3,600/mo
($5/hr Marketplace)
Active PoliciesPay-as-you-growUnlimitedUnlimited
Sync FrequencyEvery 24 hoursEvery 3 hoursEvery 3 hours
JIT Access Expiration≤24 hours≤60 mins≤60 mins
Audit Log Retention3 years3 yearsCustom
InfrastructureIsolated GCP
(Provisionr project)		Isolated AWS
(Provisionr account)		Dedicated AWS
(Customer account)
Infrastructure CostsIncludedIncludedYour responsibility
Avg ≤$500/mo
Managed byProvisionrProvisionrYou (or a partner)
High availabilityYour responsibility
Region choiceGCP 8 regionsAWS US or EU
GCP 8 Regions		Any AWS region
Cloudflare edge protectionOpt-In
AWS EDP eligiblePrivate Offer

Regions

You can choose any of our Google Cloud Platform (GCP) data residency regions.
us

U.S.


eu

E.U.


ca

Canada


au

Australia


mx

Mexico


jp

Japan


br

Brazil


in

India


Looking for AWS regions? AWS does not offer comparable scale-to-zero infrastructure that we have with GCP for pay-as-you-grow pricing. Check out the Scale or Sovereign plans that offer unlimited policies with always-on infrastructure starting at $2,000/mo.

Pricing

Policy Control on the Growth plan costs $1 USD per active policy per month, bundled in increments of 100 policies at $100 USD/mo. There is a $100 USD minimum and no cap so you can simply pay-as-you-grow.
Active PoliciesMonthly PriceAnnual PriceAnnual Savings (17%)
1-10FreeFree
11-50$20/mo (Baseline)$200/yr
51-100$100/mo$1,000/yr($200)
101-200$200/mo$2,000/yr($400)
201-300$300/mo$3,000/yr($600)
301-400$400/mo$4,000/yr($800)
401-500$500/mo$5,000/yr($1,000)
501-600$600/mo$6,000/yr($1,200)
601-700$700/mo$7,000/yr($1,400)
701-800$800/mo$8,000/yr($1,600)
801-900$900/mo$9,000/yr($1,800)
901-1,000$1,000/mo$10,000/yr($2,000)
1,001-1,100$1,100/mo$11,000/yr($2,200)
1,101-1,200$1,200/mo$12,000/yr($2,400)
1,201-1,300$1,300/mo$13,000/yr($2,600)
1,301-1,400$1,400/mo$14,000/yr($2,800)
1,401-1,500$1,500/mo$15,000/yr($3,000)
1,501-1,600$1,600/mo$16,000/yr($3,200)
1,601-1,700$1,700/mo$17,000/yr($3,400)
1,701-1,800$1,800/mo$18,000/yr($3,600)
1,801-1,900$1,900/mo$19,000/yr($3,800)
1,901-2,000$2,000/mo$20,000/yr($4,000)
2,001++$100/mo per 100

Active Policy Count

An active policy is any ruleset that is actively managing a group or resource by syncing members based on rules and conditions you define. If you have 42 Google Groups with a policy ruleset, that’s 42 active policies. Each Google Group, Okta Group, Slack User Group, or GitLab Group you automate counts as one active policy. Although Directory Attributes use policies to define and manage user attributes, they do not count towards your active policy total for billing purposes. You can create staged policies to design rules and conditions. This does not count towards your policy limit until you activate the policy and start syncing users. See the Policies & Rules to learn more.

Estimating Policy Count

How many policies do I need? What does that even mean?
How many Okta applications do you have? How many Google Groups, GitLab Groups, or Slack User Groups do you need to manage? Each group that you automate with Provisionr requires one active policy. If your list in the hundreds or thousands, you’re not alone! Implementing policies takes time. You should start with your “top 10” list of the groups that are causing you the most pain today and scale as you automate more later. After you enable each vendor integration, you will be able to see the number of existing groups in your directory and how many of them are currently managed by Provisionr. This will help you estimate how many policies you need to automate the rest of your groups. The Free plan includes 10 active policies with on-demand sync. Baseline adds up to 50 policies with weekly sync for $20/mo. Growth adds daily sync and costs $100/mo per 100 policies with no cap. Scale and Sovereign include unlimited policies at a flat monthly rate.

Add-Ons

You can purchase as many policies as needed for your organization, and the price scales predictably as you grow. See the upgrade docs for details on how to upgrade your plan as your needs grow. You can downgrade at any time if you need to scale back down. There are no additional charges for users, integrations, or sync frequency on the Growth plan. You only pay for the number of active policies, so you can create as many policies as you need to model your access control use cases without worrying about user count or sync frequency. The following SKUs are available as add-ons:
  • Priority Support - $500 per month or $5,000 per year
    • 2-hour response SLA for yellow alerts incidents during business hours (M-F 9am-5pm US Central Time)
    • 4-hour response SLA for support tickets during business hours
    • 8-hour response SLA for incidents and support tickets outside of business hours
  • Advisor Services - $1,000 per engagement or $10,000 per year
    • Dedicated account manager who knows your workspace and provides personalized support
    • Collaborative quarterly business reviews with product roadmap insights and feedback sessions
    • Ad hoc consultations and proactive recommendations as your use of Provisionr evolves
    • Audit and compliance support with optional bespoke training sessions for your team
  • Professional Services
    • Dedicated support for large-scale rollouts and migrations
    • Migrating from checklists and spreadsheets to Provisionr policies
    • Custom policy design and implementation for complex use cases
    • Virtual training sessions for your team

Sync Frequency

Provisionr runs a scheduled sync once per day at a time you choose. During each sync, Provisionr connects to all integrated identity systems — Google Workspace, Okta, Slack, GitLab — and reconciles group membership against your policies. You can also trigger an on-demand sync for any individual policy at any time using the CLI, so you are never blocked waiting for the next scheduled window.
Need higher sync frequency? The Scale Plan syncs every 3 hours with continuous just-in-time access expiration for time-limited group memberships.

Resource Isolation

Growth workspaces run on GCP infrastructure within Provisionr’s managed GCP projects. While multiple Growth tenants coexist in the same GCP project, every workspace has its own isolated compute, database, and encryption — no data or application state is shared between tenants. 
Provisionr Growth GCP Project (Shared Project, Isolated Workspaces)

├── Shared Infrastructure (amortized across all tenants)
│   ├── Cloud SQL PostgreSQL instance (shared instance, isolated databases)
│   ├── Artifact Registry (container images)
│   ├── Cloud Scheduler (sync job orchestration)
│   └── Cloudflare (edge routing, DDoS, WAF)

└── Your Workspace (isolated resources — exclusive to your organization)
    ├── Cloud Run Service (compute — your container only, not shared)
    ├── PostgreSQL Database (your database — isolated within Cloud SQL)
    ├── APP_KEY in Secret Manager (your encryption key — unique per workspace)
    └── Subdomain (your workspace URL — {slug}.provisionr.app)
Shared infrastructure resources — the Cloud SQL instance, Artifact Registry, and Cloud Scheduler — carry no cross-tenant data visibility. The Cloud SQL instance hosts multiple databases, but each tenant’s database is isolated with its own credentials. One tenant cannot query another tenant’s database. Every resource that touches your data is exclusively yours. Your Cloud Run container, PostgreSQL database, encryption key, and secrets are scoped to your workspace alone. GCP IAM policies and Cloud SQL Auth Proxy enforce these boundaries — no other tenant can access your workspace resources.

Cloudflare Edge Protection

All Growth workspace traffic routes through Cloudflare’s global network before reaching GCP, providing:
  • DDoS mitigation
  • Web Application Firewall (WAF) with managed rulesets
  • Bot protection and rate limiting
  • TLS termination at the edge with HTTP/2 and HTTP/3 support
  • Global CDN caching for static assets
  • Tenant routing via Cloudflare Worker with cold start handling
Cloudflare is enabled by default on all Growth workspaces — no configuration required. You can opt-out of using Cloudflare on Scale and Sovereign if you prefer to route directly to AWS, but Growth workspaces must use Cloudflare for edge protection and routing.

High Availability

Cloud Run handles compute availability automatically — containers scale across zones within the region and restart on failure without manual intervention. Provisionr configures Cloud SQL with regional automatic failover across availability zones. Database backups replicate to a secondary region within the same geographic area (shown in the region cards above — for example, Iowa primary with Oregon backups). Availability Zone Outage: If an availability zone becomes unavailable, your workspace continues operating with minimal or no downtime. Short Term Region Outage: If a region becomes unavailable, Provisionr can failover your workspace to the backup region where your database backups are stored at. For short term outages, your workspace data will be available in a read-only capacity without sync enabled (identical to a blue alert incident) until the primary region is restored. Cloudflare Edge Protection: All Growth workspace traffic routes through Cloudflare’s global network before reaching GCP, providing DDoS mitigation, WAF, bot protection, and TLS termination at the edge to protect against network-level disruptions. If Cloudflare has an outage, your workspace will be unavailable until traffic can reach Cloud Run, but your data and infrastructure remain unaffected. For outages lasting more than 8 hours, we will provide a temporary alternate domain in Provisionr HQ that routes traffic directly through GCP load balancers to Cloud Run while Cloudflare is being restored. This is not an automatic failover and requires manual intervention from the Provisionr team, but we have runbooks in place to execute this process within a reasonable timeframe to minimize disruption.

Disaster Recovery

Long Term Region Transition: If the primary region outage is expected to be long term (more than 24 hours), we can enable read-write in the backup region where your database backups are stored. This process is not automatic and requires manual intervention from the Provisionr team, but we have runbooks in place to execute this failover within a reasonable timeframe to minimize disruption.

Shared Responsibility Model

Provisionr is fully responsible for your infrastructure on Growth. Your team interacts with Provisionr through Workspace HQ, the CLI, and the API. Provisionr fully abstracts the infrastructure layer. Provisionr handles:
  • Infrastructure provisioning and ongoing maintenance
  • Security patching and OS updates
  • Database backups and point-in-time recovery
  • Version upgrades deployed on the standard release schedule
  • Uptime monitoring and incident response
  • Capacity scaling as your usage grows