Enterprise security

The following information is applicable to GroupMap enterprise customers

Hosting Options

GroupMap maintains two isolated data hosting environments - US (our primary environment) and EU. If you are interested in having your account hosted in the EU environment please let us know.

• US - Northern Virginia, USA (using exclusively US-based subprocessors)
• EU - Frankfurt, Germany (using exclusively EU-based subprocessors)

User Provisioning

GroupMap supports three provisioning models for enterprise customers.
The appropriate model depends on your style of license: 

• Named users only - a specific set of user names and email addresses can be provided to GroupMap and we will provision them on your enterprise plan. Other users are free to create GroupMap accounts, however they will not be able to create maps / workspaces after their trials are completed. 
• Validated email domain - any user who signs up with a verified email address matching your enterprise domain(s) will be automatically associated with your enterprise plan. If your licence is site-wide, they will be immediately able to create new maps and workspaces. Note users cannot automatically see content added by others in your organization, they must be explicitly invited.
• Single Sign On via your Identity Provider - as per above, any user who signs in via your Identity Provider will be automatically associated with your enterprise plan. 

SAML Single Sign On

SAML single sign on is strongly recommended for all enterprise customers, as it avoids the requirement for new email / password combinations to be recorded, allows your company to enforce their own password and 2FA requirements. SAML SSO also provides a mechanism to disable user access after they've left your company (following session expiry).

At this time we do not support SCIM for managed provisioning. 

If you wish to enable SSO functionality on your plan please let your account contact know.

• Configuring OneLogin Single Sign On
• Configuring OKTA Single Sign On
• Configuring Azure AD Single Sign On

Additional Security Options

As a group brainstorming tool, by default GroupMap opts to provide the least friction to allow your participants to join your brainstorming activity. Where security is of greater concern than ease of use, you can opt for tighter security controls:

• Require single sign on - participants will be required to sign in using the SSO Identity Provider configured on your enterprise account, regardless of how they were invited or if they have an existing non-SSO GroupMap login.
• Participant email verification - participants will be required to verify their email address if the join a map or workspace via QR code, Invitation ID or Invitation URL - unless they sign in to an existing GroupMap account. If users are directed invited by email, there is no additional step to verify email.
• Embeddable - by default GroupMap maps and workspaces cannot be embedded in other websites via iframe or similar. If you exceptions to this rule can also be made on a per-map / workspace basis. 

If you wish to enable this functionality on your plan please let your account contact know.

Enterprise Reporting

You may nominate specific users to have Enterprise Admin permissions, and be able to access your enterprise dashboard to view:

• Enterprise usage statistics (participants over time, maps over time, ideas over time)
• List of enterprise users
• List of enterprise maps / workspaces

If you have any other questions please let your account contact know.