The platform
Close the OAuth loop. Audit, score, revoke, deprovision, prevent.
ScopeMantle is the end-to-end platform for governing third-party OAuth access. Five capabilities, one identity connection, zero spreadsheets.
01 · OAUTH AUDIT
Continuous OAuth Audit
Most security teams are flying blind on third-party OAuth. The grants weren't really shadow, it's just that no tool was responsible for keeping the list current. ScopeMantle fixes that by treating your IdP as the source of truth and continuously pulling every OAuth grant, every connected service, every domain-wide install, without agents, without proxies, without anything you have to maintain.
We start with Okta and Google Workspace because that's where 80% of the signal lives. Within minutes of connecting, you have a complete inventory: app name, source, user count, scopes granted, first-seen timestamp, privacy-policy URL, and a risk tag derived from what each scope actually lets the app do. Microsoft Entra is on the roadmap; we'll connect to it the same way, read-only, revocable, no agents.
- Continuous OAuth grant inventory across Okta, Google Workspace, and Entra (roadmap)
- Full scope extraction, every grant, every user, every timestamp
- Per-app user rosters with role and last-active context from your IdP
- Policy-aware duplicate detection across sources (one Slack, not three)
- Privacy-policy URL captured and version-tracked per vendor
- Stale-token sweeps, flag unused 90+ day grants automatically
- CSV, JSON, and direct SIEM export of the live inventory
OAuth scopes · 21 granted
+ 15 more scopes
Users with access · 1,247
Privacy analysis · refreshed 6d ago
02 · RISK SCORING
Vendor Risk & Privacy Posture Scoring
Every vendor in your inventory, including the long tail of small AI SaaS tools that manual vendor databases never cover, gets an automatic risk score within minutes of discovery. ScopeMantle's LLM analysis engine reads each vendor's privacy policy, security page, sub-processor list, and known breach history, and produces a confidence-scored posture assessment broken into four axes: Security, Privacy, Scope Sanity, and Breach History.
This is not a static database. Every score re-evaluates monthly, and a change in policy or a new breach disclosure pushes an alert into your event stream, Slack, or SIEM the same day.
- SOC 2 / ISO 27001 / HIPAA presence detection per vendor
- Scope-sanity red-flagging (the Context.ai signal)
- AI-training-on-customer-data clause detection
- Sub-processor graph per vendor
- Correlation with HIBP, CISA, and public breach sources
- Monthly re-score with change alerts
- Source-cited, every score links to the policy passages that produced it
Notion · privacy posture
notion.so/privacyIdentity · Communications · File contents · Behavioral telemetry
AWS (us-east-1, eu-west-1) · Stripe · Datadog · Twilio · Snowflake
EU → US under SCCs (2021/914) · UK IDTA · No data transferred to China
Account data: 30d post-cancellation · Logs: 12 months · Backups: 35 days
72 hours from confirmed breach (Article 33-aligned)
Extracted facts are evidence-linked back to the source URL · re-runs monthly or on policy change detection
03 · GOVERNANCE
Access & Scope Governance
An inventory is the prerequisite. Governance is the work. ScopeMantle ships a policy engine that turns the rules you'd otherwise enforce by Slack reminder into rules the platform enforces continuously. Every policy is a small, declarative statement: "if scope includes admin.directory and users > 25, require review", that runs against the live inventory and against every new install the moment it appears.
Policies aren't a black box. The rule builder shows a live preview of which apps would match before you enable a rule, so you can ship governance without surprising 800 employees. When a rule fires, the action is yours: notify a channel, open a Jira ticket, require a one-click approval, or revoke the OAuth token outright. We expose the same primitives via a documented API so your SOAR playbooks can react too.
- One-click and bulk-revoke OAuth tokens by policy or by query
- Bulk-revoke by Vendor Risk Score (e.g., all vendors with Score < 40)
- Auto-tag risky scopes (send_mail, modify_drive, admin.directory.*)
- Approval workflows for new app installs via Slack, email, or Jira
- Alerts on scope escalation, admin grants, and apps unused for >90 days
- Rule builder with live match preview before enable
- Programmatic API for SOAR integration, every action is callable
Conditions
Action
Preview · matches in current inventory
3 / 847+ 0 historical violations · Rule will not retroactively block.
04 · DSAR
DSAR & Privacy Automation
DSARs used to be a forensic exercise. A request would come in, someone in privacy would ping IT, IT would ping the data team, the data team would email vendors, and four weeks later, somewhere around day 28 of the GDPR clock, a partial answer would land in a shared drive. ScopeMantle replaces that with a workflow that closes itself.
The intake portal is hosted, branded, and accessible. When a request lands, we match the requester against your IdP and connector user rosters to identify every internal system that holds their data. We then dispatch pre-composed Article 15 / 17 / 20 outreach to every vendor with a record of the subject, track acknowledgements and fulfilments against the 30-day clock, and assemble an evidence package the day the request closes. Audit-ready, regulator-ready, board-ready.
- Public-facing DSAR intake portal, hosted, branded, and accessible
- Auto-match requesters to internal systems via IdP + connector rosters
- Pre-composed Article 15 / 17 / 20 outreach per vendor template
- 30-day GDPR clock tracking with deadline alerts to legal
- Evidence package auto-assembled at close. JSON + signed PDF
- Vendor reply parsing, acknowledgements, follow-ups, completion logged
Request #DS-2026-0412 · Access
jane.doe@acme.comVendor outreach · 23 vendors
Progress
05 · DEPROVISIONING
Deprovisioning & Offboarding
When someone leaves, the question isn't whether IT remembered to disable their email. It's whether anyone remembered the 23 SaaS apps they touched directly via OAuth, none of which appeared in the standard offboarding checklist because nobody knew they existed. ScopeMantle closes that gap by triggering offboarding from the source of truth (your HRIS or IdP) and walking the cross-SaaS checklist automatically.
Each step in the checklist produces proof, a token revocation receipt, an ownership transfer record, a removed-from-team log line. That proof goes into an offboarding evidence bundle that satisfies SOC 2 CC6.1, ISO 27001 A.5.18, and the auditor question that always lands at the worst time: "show me the last ten offboardings."
- Trigger from HRIS (BambooHR live, Workday on roadmap) or directly from your IdP
- Cross-SaaS checklist auto-generated from the user's actual app footprint
- Per-app proof-of-removal, token receipts, ownership transfer logs
- Owner-reassignment for orphaned files, repos, calendars, and pages
- SLA tracking from termination event to last-app-cleared timestamp
- Evidence bundle exportable to your GRC platform (Vanta, Drata, Secureframe)
Offboard · Sarah Chen
sarah.chen@acme.com06 · EVENTS
Normalized Event Stream
Every connector emits events. Every IdP and every SaaS app speak slightly different dialects of those events. ScopeMantle normalizes them into a single schema, actor, action, target, scopes, source, risk, so your SIEM doesn't have to. The schema is documented at /docs/event-schema, versioned, and stable across connector updates.
Delivery is your choice: webhook for low-latency, batched HTTP for systems that prefer pulls, or direct S3 sink for cold storage and your data lake. Splunk, Datadog, Elastic, and Sumo Logic have first-class destinations; everything else gets a documented JSON contract. Twelve months of retention is the default, configurable up or down per workspace.
- Single normalized schema across Okta, Google Workspace, and (soon) Entra
- Webhook, batched HTTP, and S3 sink delivery, pick what your stack prefers
- Splunk, Datadog, Elastic, Sumo Logic, first-class SIEM destinations
- Risk tagging on every event from the same engine that drives policy
- 12-month retention by default, configurable per workspace
- Slack and PagerDuty alerting filtered by policy tags or scope patterns
ARCHITECTURE
How ScopeMantle is built.
Read-only by default
Every connector requests the minimum scope set required to inventory and govern. We never request write scopes for read paths. Customers can revoke at the IdP at any time.
Credentials vaulted
OAuth refresh tokens are sealed with AES-GCM at rest using per-tenant keys. State is HMAC-signed end-to-end. Connector secrets never leave the encryption boundary in cleartext.
Single-tenant VPC option
Multi-tenant SaaS by default. Enterprise plans can deploy into a single-tenant VPC in AWS us-east-1, eu-west-1, or eu-central-1 with customer-managed KMS keys.
HONEST SCOPE
What ScopeMantle isn't (yet).
Confident vendors say what they don't do. Here is ours.
- ×Not an IdP
We integrate with yours. Bring Okta, Google Workspace, or Entra and ScopeMantle reads from it.
- ×Not a CASB
We don't do inline traffic inspection. We govern access grants, not packet payloads.
- ×Not a SIEM
We feed yours. Splunk, Datadog, Elastic, Sumo Logic, and a documented JSON schema for the rest.
- ×Not a DLP tool
We tell you who has access to what. We don't block payloads in transit or scan file contents.
- ×Not a CMP
We integrate with consent management platforms. OneTrust today, Transcend on the roadmap.
- ×Not a consent firewall todayRoadmap · Q4 2026
We surface and revoke. Native prevention at grant-time requires policy-engine integration with Okta and Google Workspace.
- ×Not a corporate account-deletion service todayRoadmap · Q3 2026
We'll auto-fire GDPR Article 17 and CCPA deletion requests to vendors on revocation.
Frequently asked
Platform — common questions
Find the Context.ai in your org before the attacker does.
15-minute connection. First inventory in an hour. Vendor risk scores for every third party by tomorrow.
Trusted by security and privacy teams at 50+ organizations.