Enterprise

Enterprise Overview

OpenAnalyst Enterprise is designed for large organizations with advanced security, compliance, and operational requirements. It extends the Max plan with capabilities built specifically for enterprise IT governance, procurement processes, and large-scale deployment. Pricing is custom and based on seat count, data volume, and selected add-ons — contact the sales team at enterprise@openanalyst.com for a proposal.

The core difference between Enterprise and other plans is the combination of contractual commitments (SLAs, DPAs, custom MSAs), technical capabilities (on-premise deployment, SSO enforcement, dedicated infrastructure), and operational support (named account manager, enterprise support queue, professional services).

SSO and Identity Management

Enterprise plans include full SAML 2.0 SSO with the following additional capabilities beyond the standard SSO offering:

• SCIM Provisioning: Automate user provisioning and deprovisioning via SCIM 2.0. When a user is added to or removed from the OpenAnalyst group in your IdP, their account is created or deactivated automatically — no manual sync required.
• Role Mapping: Map IdP groups directly to OpenAnalyst roles and workspace memberships. A user joining the "Data Analysts" group in your IdP can be automatically granted Analyst access to specific workspaces.
• SSO Enforcement: Require all users in the organization to authenticate exclusively through your IdP. Password-based login is disabled. An emergency break-glass admin account is provided separately.
• Multi-IdP Support: Large enterprises with multiple business units and different identity providers can configure per-workspace IdP routing.

Audit Logs

Enterprise audit logs provide a complete, immutable record of all activity within your OpenAnalyst organization. Logs are retained for a minimum of 12 months and can be extended to 7 years for compliance-sensitive industries.

The following event categories are captured in the audit log:

• Authentication events (login, logout, SSO assertion, MFA challenge)
• Data connection creation, modification, and deletion
• Query execution (including the query text, data source, user, and timestamp)
• Dashboard and report creation, editing, sharing, and deletion
• Data exports and downloads
• Permission and role changes
• API key creation and revocation
• Billing and subscription changes
• AI agent creation, modification, and execution

Audit logs can be exported in JSON or CSV format from the admin console, or streamed in real time to a SIEM (Security Information and Event Management) system via webhook or the audit log streaming API.

# Example audit log entry (JSON)
{
  "id": "evt_01HZ3K8X4MBNW7P2QVDTJSRF6",
  "timestamp": "2026-02-27T14:32:11.421Z",
  "actor": {
    "id": "usr_01HZ1A2BC3DEFG4H",
    "email": "analyst@company.com",
    "ip_address": "203.0.113.42"
  },
  "action": "query.executed",
  "resource": {
    "type": "data_connection",
    "id": "conn_01HZ0X9Y8Z7W6V5U",
    "name": "analytics_prod (PostgreSQL)"
  },
  "metadata": {
    "query_id": "qry_01HZ3K8X4MBNW7P2",
    "row_count": 1842,
    "duration_ms": 234
  }
}

Advanced Permissions

Enterprise plans include a granular, attribute-based access control (ABAC) system that goes beyond the standard Viewer / Analyst / Admin role model:

• Row-level Security: Restrict which rows of a connected data source a user can query, based on their identity attributes. A sales analyst in the US region can only see US records even when querying the same global table as a manager with full access.
• Column-level Security: Mask or hide specific columns for users without the appropriate clearance. PII fields like email and phone number can be masked for analysts who do not need the raw values.
• Dashboard Sharing Controls: Set expiration dates on shared dashboard links, require authentication to view shared content, and restrict sharing to users within the organization domain.
• IP-based Access Restrictions: Limit workspace access to requests originating from your corporate IP ranges or VPN.

Dedicated Support and SLAs

Enterprise customers receive service level commitments and a dedicated support structure:

Enterprise customers are assigned a named Customer Success Manager (CSM) and Technical Account Manager (TAM). The CSM handles onboarding, training, and adoption programs. The TAM provides technical guidance on architecture, integration design, and platform optimization.

On-Premise and Hybrid Deployment

For organizations with strict data sovereignty requirements or air-gapped environments, OpenAnalyst Enterprise offers an on-premise deployment option.

• Container-based deployment: OpenAnalyst is packaged as a set of Docker containers orchestrated with Kubernetes. A Helm chart is provided for deployment to your existing Kubernetes cluster.
• Air-gap support: All container images can be mirrored to a private registry. The application operates without outbound internet access once deployed.
• Hybrid mode: Process and store data on-premise while maintaining a management plane connection to OpenAnalyst for license validation and feature updates.

Volume Licensing and Custom Integrations

Enterprise agreements include volume-based pricing that reduces per-seat cost at scale. Organizations with more than 100 users typically see 40-60% savings compared to per-seat Max plan pricing.

Custom integration development is available through the professional services team. If your organization uses an internal data platform, proprietary database, or business application not covered by the standard connector catalog, the OpenAnalyst professional services team can build and maintain a production-grade custom connector as part of your Enterprise agreement.