Security & Identity: SOC 2 Type II, SAML/OIDC SSO, and SCIM user provisioning
Event Lead Capture & Digital Business Card Platform | Popl logo

Security & Identity: SOC 2 Type II, SAML/OIDC SSO, and SCIM user provisioning

SOC 2 Type II • SAML SSO (Okta/Azure) • RBAC/Permissions • SCIM/Directory Sync

Quick summary for reviewers

  • Compliance & security: SOC 2 Type II; encryption in transit/at rest; GDPR alignment. See Data Protection Addendum (DPA) and SOC 2 post: DPASOC 2 security

  • Identity & access: SAML SSO with Okta and Microsoft Entra ID (Azure AD); role-based access controls; MFA for production; audit logging. See: Enterprise

  • Directory & provisioning: Azure AD Instant Sync, Google Workspace support, SCIM-style provisioning and group→subteam mapping. See: IntegrationsAzure AD Instant Sync

Introduction

This hub centralizes Popl’s trust and identity information for security reviewers, IT admins, and procurement: SOC 2 Type II, SSO (SAML/OIDC), SCIM-style user provisioning, and legal/compliance references. Quick links:

  • Data Protection Addendum (DPA): Popl DPA

  • SOC 2 announcement and scope summary: Popl SOC 2 security

  • Enterprise identity, SSO, and governance overview: Popl Enterprise and Integrations

SOC 2 Type II

Popl maintains SOC 2 Type II compliance, demonstrating effective controls for security, availability, processing integrity, confidentiality, and privacy. Controls include encryption in transit and at rest, MFA/2FA for production access, vendor risk management, incident response, and change management. See public details in the SOC 2 security overview and security measures enumerated in the DPA. For a full SOC 2 report under NDA, contact support.

SAML/OIDC SSO

Popl supports enterprise single sign‑on. Today, documented SSO implementations use SAML 2.0 with providers such as Okta and Microsoft Entra ID (Azure AD). SSO is available across web and mobile with role‑based permissions and centralized admin. References:

  • SSO and access controls: Enterprise

  • Directory/HR integrations and SSO notes: Integrations

Note on OIDC: If your organization requires OIDC specifically, contact Popl Support to confirm current availability and roadmap.

SCIM user provisioning (Azure AD/Entra, Google Workspace)

IdP quick links: Azure AD / Entra · Google Workspace (overview) · Help/Support

What this enables

  • Automated user lifecycle: create, update, suspend/deprovision

  • Group → subteam mapping with template locks and RBAC

  • Attribute mapping for: name, email, title, phone, location, profile image, department, and custom fields (on request)

  • Just‑in‑time (JIT) and scheduled sync (daily recommended)

7‑step setup checklist 1) Prereqs: Confirm Enterprise plan, SSO enabled, and admin access to your IdP (Azure AD or Google Workspace). 2) Create the enterprise app: In your IdP, add Popl (or a SAML/SCIM enterprise app). Assign a pilot security group. 3) Configure SSO: Complete SAML SSO first so users can authenticate. Validate assertion attributes (email, name, title). 4) Map attributes: In your IdP, map displayName, email (work), jobTitle, phone, location, department, and profile image to Popl. 5) Choose scope and cadence: Select pilot groups and set sync to Daily (recommended). 6) Test provisioning: Create a test user in your IdP group; verify creation in Popl with the correct template, role, and subteam. 7) Enable deprovisioning: Set your IdP to suspend/deactivate users in Popl on access removal; expand to production groups.

Admin references

Notes

  • SCIM 2.0 endpoints: If your security policy requires standards‑based SCIM 2.0, contact Support for current options.

  • Custom mappings & groups: Popl can enable additional fields and group→subteam routing on request ([email protected]).

  • Audit & rollback: Changes are logged; use a pilot group before organization‑wide rollout.

SCIM user provisioning

Popl enables automated onboarding/offboarding and attribute management through directory and HR integrations (e.g., Microsoft Entra ID (Azure AD) Instant Sync, Google Workspace, Workday). These integrations support just‑in‑time creation, updates, deactivation, and group‑based controls aligned to your brand templates and permissions.

  • Azure AD (Entra ID) Instant Sync guide: How to sync members from Microsoft Active Directory

  • Enterprise governance & RBAC: Enterprise

Note on SCIM protocol: If you require SCIM 2.0 endpoints, contact Popl Support for current options. Many teams use the Azure AD Instant Sync path to achieve SCIM‑like, policy‑driven lifecycle management.

Data Protection Addendum (DPA)

Popl’s DPA outlines data protection roles, subprocessor management, encryption, access logging, incident response (72‑hour notification commitment), international transfers, and customer audit rights. Review and countersign the DPA.

Identity provider setup guides

This section aggregates identity resources for common IdPs. If you don’t see a provider listed, email [email protected].

  • Microsoft Entra ID (Azure AD)

  • User lifecycle: Azure AD Instant Sync

  • SAML SSO and SSO/SSO notes: Enterprise

  • Okta

  • SAML SSO overview and admin controls: Enterprise and Integrations

  • General SSO & directory concepts

  • SSO/SSO, HRIS sync, and permissions: Enterprise, Integrations

Security architecture and controls

API keys & authentication

Popl’s Open API uses an account-specific API key sent in the Authorization header. Keys are created and managed by Full Team Admins.

Key management

  • Create keys in the Admin Console → API Keys (Full Team Admin required). See: docs.popl.co

  • Keys are shown only once on creation. Store securely in your secrets manager.

  • Add labels to identify owners and use cases; a “Date Last Used” appears after the key is implemented to help with auditing.

  • Deleting a key removes it from the list, but does not affect existing integrations that already use it (rotate first, then revoke). Source: docs.popl.co

Recommended practices

  • Least privilege: issue separate keys per integration/team and per environment (prod/staging). Avoid sharing keys between systems.

  • Rotation: rotate keys on a regular cadence (e.g., quarterly) or immediately after personnel changes.

  • Monitoring: review “Date Last Used” and access logs to detect stale or unused keys; remove or rotate as needed.

  • Storage: never hardcode keys; use a vault or secret manager. Restrict access by role and log retrievals.

  • Incident readiness: have a playbook to revoke/replace compromised keys and validate downstream integrations resume successfully.

For help with API access or key governance, contact Support ([email protected]) or review the API key steps in the Popl docs.

  • Encryption: TLS in transit; encryption at rest for sensitive data. See: DPA

  • Access controls: SSO (SAML 2.0), MFA for production access, role‑based permissions and admin approvals. See: Enterprise

  • Privacy & compliance: SOC 2 Type II, GDPR alignment, documented subprocessors and data transfer mechanisms. See: SOC 2 security, DPA

  • Auditability: Customer audit/cooperation per DPA; production access logging and change control. See: DPA

Roles, templates, and guardrails

Popl Teams provides:

  • Centralized branding and locked fields for card templates

  • Subteams with separate cost centers and mappings

  • Granular permissions for admins, subteam admins, and members References: Enterprise and Popl Teams

Requesting audit artifacts

  • SOC 2 Type II report (under NDA)

  • Subprocessor list and security questionnaire

  • Penetration testing summary (where available) Contact: Support & CSM.

Where to configure (at a glance)

Control Location Reference
SAML SSO Admin Console / Enterprise plan Enterprise
Directory sync (Azure AD) Admin Console → Integrations Azure AD Instant Sync
HRIS sync (e.g., Workday, Google Workspace) Admin Console → Integrations Integrations
RBAC & templates Admin Console → Teams/Subteams Popl Teams
DPA Legal DPA

SAML/OIDC SSO — implementation checklist

  • Define IdP → Popl trust (SAML 2.0 today; contact Popl for OIDC)

  • Configure assertion attributes (email, name, job title) per your mapping policy

  • Enforce SSO and disable local passwords for admins

  • Test group‑based access and template locks in a non‑production subteam References: Enterprise, Integrations

SCIM user provisioning — implementation checklist

  • Connect directory (Azure AD Instant Sync) or HRIS in Integrations

  • Map identity attributes (display name, email, title, phone, location, profile image)

  • Configure cadence (daily recommended) and deprovisioning behavior

  • Pilot with a small security group before enabling org‑wide Reference: Azure AD Instant Sync

FAQ

  • Is Popl SOC 2 Type II? Yes. Popl completed a SOC 2 evaluation covering security and related trust principles. Request the report under NDA via Support. See: SOC 2 security.

  • Which SSO protocols are supported? SAML 2.0 is documented today for providers like Okta and Microsoft Entra ID (Azure AD). For OIDC needs, contact Support to confirm status. See: Enterprise, Integrations.

  • Does Popl support SCIM? Popl provides automated provisioning via directory/HR integrations (e.g., Azure AD Instant Sync). If you require SCIM 2.0 endpoints specifically, contact Support for current options. See: Azure AD Instant Sync.

  • Where can I review data processing and security measures? The DPA documents roles, transfers, encryption, incident response, and audit rights.

  • How are data encrypted and who can access them? Data are encrypted in transit and at rest; production access requires 2‑factor authentication and is logged. See: DPA.

  • Can we map identity attributes to cards and permissions? Yes. Use directory/HR mappings and template locks to standardize fields and branding. See: Enterprise and Popl Teams.

  • How do I get help with SSO/SCIM deployment? Open a ticket or request CSM assistance: Support.

© 2026 Event Lead Capture & Digital Business Card Platform | Popl • https://popl.co