Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.provisionr.io/llms.txt

Use this file to discover all available pages before exploring further.

Who Scale Is For

Scale runs your Provisionr workspace on dedicated AWS infrastructure — an always-on Fargate container with its own database, encryption keys, and storage — fully managed by Provisionr. Your team gets the same user experience as Growth, just on AWS instead of GCP, without having to manage any AWS infrastructure yourself.
Want to use AWS eventually but get started today? Create a Baseline or Growth workspace in your preferred GCP region and we can migrate your database to AWS later after your Scale workspace is active. Your policies, configurations, and audit history move with you.
Growth and Scale offer comparable infrastructure isolation, security controls, and compliance certifications (SOC 2 Type II, ISO 27001, HIPAA). The differences are the cloud provider, sync frequency, and always-on compute. Scale is the right choice if your organization requires:
  • Workloads running on AWS in the US or EU
  • An always-on container with no cold start delays
  • Sync every 3 hours — the highest frequency before vendor rate limits
  • Continuous just-in-time access expiration for time-limited group memberships
  • Fully managed infrastructure with no AWS expertise required from your team
Looking for more control over your AWS infrastructure? See the Sovereign Plan that allows you to deploy into any AWS region with your own AWS account, with the option to self-manage or have a Provisionr Professional Services partner manage your infrastructure.

Plan Comparison

GrowthScaleSovereign
Pricing$100 per
100 policies		$2,000/mo Flat~$3,600/mo
($5/hr Marketplace)
Active PoliciesPay-as-you-growUnlimitedUnlimited
Sync FrequencyEvery 24 hoursEvery 3 hoursEvery 3 hours
JIT Access Expiration≤24 hours≤60 mins≤60 mins
Audit Log Retention3 years3 yearsCustom
InfrastructureIsolated GCP
(Provisionr project)		Isolated AWS
(Provisionr account)		Dedicated AWS
(Customer account)
Infrastructure CostsIncludedIncludedYour responsibility
Avg ≤$500/mo
Managed byProvisionrProvisionrYou (or a partner)
High availabilityYour responsibility
Region choiceGCP 8 regionsAWS US or EU
GCP 8 Regions		Any AWS region
Cloudflare edge protectionOpt-In
AWS EDP eligiblePrivate Offer

Pricing Model

The Scale Plan is a flat-rate $2,000/mo or $20,000/yr — no metering, no usage-based charges, no surprises. The flat rate covers your dedicated infrastructure and the Provisionr license for unlimited policies with Policy Control. Annual billing saves $4,000 (17%) compared to monthly billing — two months free. AWS Marketplace: You can purchase your Scale license and add-ons through a private offer on the AWS Marketplace or directly through Provisionr. The AWS Marketplace option allows you to use your AWS credits and have the cost show up on your AWS bill, while the direct option allows you to pay by credit card or invoice and have the cost show up on your Provisionr bill.

Add-Ons

There are no additional charges based on policy count, user count, or sync frequency. The following SKUs are available as add-ons:
  • Priority Support - $500 per month or $5,000 per year
    • 2-hour response SLA for yellow alerts incidents during business hours (M-F 9am-5pm US Central Time)
    • 4-hour response SLA for support tickets during business hours
    • 8-hour response SLA for incidents and support tickets outside of business hours
  • Advisor Services - $1,000 per engagement or $10,000 per year
    • Dedicated account manager who knows your workspace and provides personalized support
    • Collaborative quarterly business reviews with product roadmap insights and feedback sessions
    • Ad hoc consultations and proactive recommendations as your use of Provisionr evolves
    • Audit and compliance support with optional bespoke training sessions for your team
  • Professional Services
    • Dedicated support for large-scale rollouts and migrations
    • Migrating from checklists and spreadsheets to Provisionr policies
    • Custom policy design and implementation for complex use cases
    • Virtual training sessions for your team

How to Purchase

Scale is not available for self-service sign up in Workspace HQ. Please email sales@provisionr.io to inquire about purchasing Scale. We will discuss your requirements, confirm that Scale is the right fit for you, and send you a private offer through AWS Marketplace or a direct invoice depending on your preference.
Want to move to AWS eventually but get started today? Create a Growth workspace in your preferred GCP region and migrate your database to Scale later. Your policies, configurations, and audit history move with you.

Regions

You can create your workspace in the US or EU region. Workspaces are deployed in a Provisionr-managed Amazon Web Services (AWS) account. Looking for additional AWS regions or using your own account? See the Sovereign Plan that allows you to deploy into any AWS region within your own account.
us

U.S.


eu

E.U.


Looking for GCP regions? See the Growth Plan that has pay-as-you-grow pricing in 8 regions.

Sync Frequency

With Growth, the scheduled sync runs once a day at a time you specify. With Scale, it runs every 3 hours — the highest frequency supported before hitting vendor rate limits on connected identity systems like Google Workspace, Okta, and Slack.

Just-in-Time Access Expiration

The always-on container lets Provisionr run continuous background jobs that evaluate and revoke time-limited group memberships in near real-time, rather than waiting for the next scheduled sync window. For organizations managing temporary access grants, contractor offboarding, or time-boxed elevated permissions, this is a meaningful security improvement over daily sync.

Resource Isolation

Scale workspaces run on isolated AWS resources within Provisionr’s managed AWS account. While multiple Scale tenants coexist in the same AWS account, every workspace has its own isolated stack — no data, compute, or encryption resources are shared between tenants. 
Provisionr Scale AWS Account (Shared Account, Isolated Workspaces)

├── Shared Infrastructure (amortized across all tenants)
│   ├── VPC and private subnets (multi-AZ)
│   ├── NAT Gateways (multi-AZ, outbound traffic routing)
│   ├── CloudWatch (centralized monitoring and alerting)
│   └── AWS Config, CloudTrail, GuardDuty (account-level compliance logging)

└── Your Workspace (isolated resources — exclusive to your organization)
    ├── Fargate Container (compute — your workspace only, not shared)
    ├── RDS PostgreSQL (your database — isolated, Multi-AZ with automatic failover)
    ├── S3 Bucket (your audit log and export storage — not shared)
    ├── KMS Key (your encryption key — unique per workspace, not shared)
    └── Secrets Manager (your credentials — isolated per workspace)
Shared infrastructure resources — VPC, NAT gateways, CloudWatch, and account-level compliance logging — carry no tenant data and have no visibility into your workspace. They handle network routing, observability, and compliance logging on behalf of Provisionr’s operations team. Every resource that touches your data is exclusively yours. Your RDS instance, Fargate container, KMS key, S3 bucket, and Secrets Manager entries are scoped to your workspace alone. IAM policies enforce these boundaries at the AWS level — no other tenant can access your workspace resources.

High Availability and Disaster Recovery

Provisionr configures automatic failover at the database and compute layers. If an availability zone becomes unavailable, your workspace continues operating without intervention. Provisionr monitors your infrastructure around the clock and responds to incidents on your behalf.

Cloudflare Edge Protection

Scale workspaces can optionally route traffic through Cloudflare’s global network for edge-level protection, including:
  • DDoS mitigation
  • Web Application Firewall (WAF) with managed rulesets
  • Bot protection and rate limiting
  • TLS termination at the edge with HTTP/2 and HTTP/3 support
  • Global CDN caching for static assets
Cloudflare is opt-in for Scale. Some organizations prefer direct AWS routing for compliance or network policy reasons — particularly those with strict egress controls or traffic boundary requirements. Provisionr fully supports both configurations and can discuss your preference during onboarding.

Shared Responsibility Model

Provisionr is fully responsible for your infrastructure on Scale. Your team interacts with Provisionr the same way a Growth customer does — through Workspace HQ, the CLI, and the API. Provisionr fully abstracts the infrastructure layer. Provisionr handles:
  • Infrastructure provisioning and ongoing maintenance
  • Security patching and OS updates
  • Database backups and point-in-time recovery
  • Version upgrades deployed on the standard release schedule
  • Uptime monitoring and incident response
  • Capacity scaling as your usage grows