Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.summand.com/llms.txt

Use this file to discover all available pages before exploring further.

On Enterprise plans, organizations are the unit of multi-tenancy. An organization owns one or more workspaces, has its own SSO and Directory Sync configuration, and bills as a single account. Members are managed in WorkOS and surfaced in Summand.

Provisioning

Enterprise organizations are provisioned through sales — once the contract is signed and a designated admin is named, we set up the organization in WorkOS and invite the admin by email. This is deliberate:
  • No domain squatting. A random user signing up with a @yourcompany.com email can’t claim an organization.
  • Verified admins. The first admin is the person named in the contract.
  • Clean audit trail. Provisioning events come from a sales actor, not anonymous signup.
To get an organization, contact sales@summand.com.

Roles

RoleManage SSO / SCIMManage membersManage billingCreate datasetsRead all org datasets
Owner
Admin
Memberonly ones shared with them
Roles can be assigned manually in Settings → Organization → Members or mapped from IdP groups via Directory Sync. Per-resource access (Owner / Editor / Viewer on a specific dataset or connector) is separate — see Sharing.

Domains

An organization can own multiple verified domains — useful for companies with subsidiary brands (acme.com + acme-labs.com). Each domain is verified independently via DNS TXT record. Once verified, sign-ins from that domain are routed to your SSO connection automatically. To add a domain after the org is provisioned: Settings → Organization → Domain Verification → Configure in the WorkOS Admin Portal.

Seat management

Each organization has a seat count tied to your contract. Seats are consumed when a user is added — either by manual invitation, JIT provisioning at first SSO sign-in, or SCIM provisioning from your IdP. The current seat count vs. your limit is shown in Settings → Organization at the top of the page. If you’re approaching the limit, contact your account manager — or remove inactive members first.

Member lifecycle

EventWhat Summand does
User added in your IdP, then signs in via SSOJIT-provisioned as member (or mapped role)
User added to a SCIM-synced groupProvisioned automatically with mapped role
User removed from the IdPSessions invalidated within minutes; seat freed (if SCIM is on)
User removed without SCIMSessions invalidated on next refresh; account remains until manually suspended
User suspended manually in SummandSessions invalidated immediately; data preserved
User deleted in SummandAccount removed; their datasets transferred to the org owner
For air-tight deprovisioning, run SSO + Directory Sync together. Without SCIM, you’ll need to manually suspend users when they leave.

Workspaces

Within an organization, workspaces are an optional grouping for separating datasets across teams (e.g. marketing-analytics and risk). All workspaces share the org’s billing, SSO, and member pool — workspaces are about organization, not isolation. For hard isolation between business units, use separate organizations.