Pricing · Tenet Orchestration

Free to prove the problem. Paid to solve it at fleet scale.

The open-source CLI demonstrates ghost-account reality from your own roster CSV. Tenet Orchestration ties HRIS and IAM to 40+ SaaS apps continuously, writes the state-privacy and EU AI Act evidence line, and closes offboarding in hours instead of weeks. Tiers below map to employee count because that drives HRIS connector types, shadow-AI tool proliferation, and audit evidence volume.

Free · Open source · Live on npm

tenet-offboarding-audit

$0

Apache-2.0 · forever free

CLI tool that audits an employee roster CSV for ghost accounts and shadow-AI tool access. `npm install -g tenet-offboarding-audit` or sha256-verified curl. Zero network calls, hash-only audit log.

  • CSV input — exports from Rippling, BambooHR, Workday, Gusto
  • 7 built-in heuristics (H01–H07: chronic ghosts, admin revocation, AI tool access, contractor expiry)
  • Local ~/.tenet/audit.jsonl — SHA-256 digests only, never plaintext
  • Console output mapped to CCPA, SHIELD, EU AI Act Article 26 language
  • Community support via GitHub issues
Install the CLI

Starter · 500–1,000 emp

Tenet Orchestration

$2,500/mo

per month, billed annually ($30k ACV)

Continuous HRIS + IAM orchestration for the mid-market tier above spreadsheets but below enterprise IGA.

  • Direct HRIS integration — Rippling, BambooHR, Workday, Gusto
  • Direct IAM integration — Okta, Microsoft Entra, Google Workspace, JumpCloud
  • Event-driven revocation across 40+ SaaS apps — SCIM where possible, audited admin-console workflow otherwise
  • Ticket generation with confirmed-closure loop (no orphaned revocations)
  • Per-subject audit record in CCPA + CPRA + CDPA + CTDPA format
  • Email support · 5-business-day response
Book a 15-min call

Growth · 1,000–2,500 emp

Tenet Orchestration

$5,000/mo

per month, billed annually ($60k ACV)

Adds shadow-AI discovery and third-party audit export. Where VP People + CIO + CISO buy together.

  • Everything in Starter
  • Shadow-AI discovery — live OAuth scope enumeration across 200+ SaaS
  • Vanta, Drata, and Secureframe evidence export (one-click)
  • EU AI Act Article 26 operator-record export
  • NY SHIELD Act §899-bb reasonable-safeguards export
  • Custom heuristics — codenames, project IDs, client-name redaction
  • Priority support · 24-hour response · shared Slack channel
Book a 15-min call

Scale · 2,500–5,000 emp

Tenet Orchestration

$8,000/mo

per month, billed annually ($96k ACV)

For multi-state and multi-entity organizations with dedicated compliance programs and custom HR/IT stacks.

  • Everything in Growth
  • Custom connectors — long-tail SaaS, internal tools, legacy HRIS
  • Multi-state privacy attestation — CCPA, CPRA, CDPA, CTDPA, TDPSA, OCPA
  • Colorado AI Act developer + deployer evidence
  • Quarterly security review with CISO
  • Named customer success manager · dedicated onboarding
  • 99.5% uptime SLA · 4-hour critical-incident response
Book a 15-min call

Why we tier by employee count

Employee count is the only number that actually predicts cost to serve.

HRIS connector complexity

At 500 employees, one HRIS and one IAM cover 95% of access signal. At 2,500 employees, M&A and regional payroll split payroll across two or three systems and IAM across Okta plus Entra plus Workspace. Our engineering cost to maintain correctness scales linearly with this branching.

Shadow-AI tool proliferation

Nudge Security 2025 telemetry: 40+ SaaS apps per employee average at 500 emp, 60+ at 2,500 emp, 80+ at 5,000 emp. The long tail is where shadow-AI hides. Enumeration across OAuth scope catalogs costs real money per tenant per month.

Audit evidence volume

A 500-emp company produces roughly 2,000 per-subject audit events per quarter. A 5,000-emp company produces 20,000+. Retention, signing, and export-to-Vanta/Drata pipelines carry per-record cost that the price tier covers.

Frameworks the orchestration product maps to

What regulators and auditors actually ask for.

SOC 2 CC6.2
Per-subject access-review evidence satisfies the 2024→2026 auditor sampling shift.
California CCPA / CPRA
45-day DSAR response on former employees with per-subject access history.
NY SHIELD Act
§899-bb reasonable-safeguards evidence and audit logging for residents of New York.
Colorado AI Act
Developer + deployer evidence trail for AI systems employees interact with.
EU AI Act Article 26
Operator records of AI system use by employees, effective August 2026.
NYDFS 23 NYCRR 500
72-hour revocation standard for regulated financial-services entities.

Tenet is an orchestration layer, not an attestation. We produce the evidence your SOC 2 auditor, state-privacy regulator, or EU AI Act operator can read without translation. Your compliance stack (Vanta, Drata, Secureframe) remains your source of attestation truth.

Pricing FAQ

What buyers ask before sending a quote request up the chain.

How does Tenet bill — monthly or annual?
Tenet Orchestration is billed annually. The monthly figure shown on each tier is the effective rate; invoices cover 12 months upfront by default, with quarterly payment available on the Growth and Scale tiers.
Is there a pilot or trial for the paid orchestration product?
Yes. All three paid tiers open with a 30-day paid pilot — full product, full support, priced at one month of the annual rate. If you don't see an order-of-magnitude drop in ghost-account rate or audit-evidence preparation time, we refund the pilot and part ways. Design-partner slots exist for the first 10 customers with extended terms.
What does your security review look like?
Tenet ships with SOC 2 Type I at launch and Type II audit in flight. Penetration-test report available under NDA. The CLI is Apache-2.0 and inspectable end-to-end. The paid product uses service-role keys scoped per customer tenant, deployed in an isolated schema inside our Supabase instance, with encryption at rest and in transit.
Can we cancel? What happens to our audit history?
Yes. Annual contracts can be cancelled with 60 days notice; the remainder of the paid term stays active. On cancellation we produce a complete per-subject audit export in the format your compliance stack expects (Vanta, Drata, or raw JSONL) so you retain every record Tenet captured during the relationship.
Which HRIS and IAM systems does Tenet integrate with on day one?
Launch HRIS: Rippling, BambooHR, Workday, and Gusto. On 2026 roadmap: ADP, UKG, and Justworks. Launch IAM: Okta, Microsoft Entra ID, Google Workspace, and JumpCloud. On roadmap: Ping Identity and OneLogin. Long-tail SaaS apps (300+) connect via SCIM where supported and audited admin-console workflows elsewhere.
Where does customer data live — and can we choose a region?
Tenet's default deployment runs on Supabase in the US-East region. Starter customers inherit the default; Growth and Scale customers can elect EU-West or US-West on request. Data-processing agreements available at signing. No Tenet component writes plaintext employee data to any log — all audit records carry SHA-256 digests only.
What's the implementation time from contract to first audit?
Two to six weeks from kickoff to first orchestrated revocation event. Starter customers typically close their first evidence export in week three; Growth and Scale customers with more custom connectors average four to six weeks. First SOC 2 evidence sampling runs against Tenet data inside 90 days.
What if we already use BetterCloud, Torii, or Zluri?
Tenet is the orchestration layer; those products are SaaS management layers. Most customers adopt Tenet alongside an existing SaaS management tool and deprecate that tool inside the first renewal cycle once the audit trail consolidates. See /compare for honest head-to-head pages on each alternative.

Ready to see it against your roster?

Fifteen minutes. We walk the four Tenet orchestration workflows against your HRIS, IAM, and top-ten SaaS apps. If the tier doesn’t match the problem we say so on the call.

Book a 15-min call →Try the live audit first →