For enterprise IT

The shortener your security team won’t reject.

You measure compliance posture, incident response time, and the number of vendor questionnaires you can survive. Elido is the shortener your security team won't reject.

Talk to sales Read trust report

SAML SSO + SCIM via WorkOS or native — Okta, Entra ID, Google
eu-central-1 default with workspace-level region pin
SOC 2 Type II audit in progress (H2 2026 target)
ISO 27001 achieved; certificate available under NDA

Workspace residency

eu-central-1 · default

Default + EU residency

Opt-in (Business+, irreversible)

SAML + OIDC

SSO protocol

WorkOS

SSO/SCIM provider

7 years

Audit retention (Business)

ISO 27001

Current certification

How SSO works

Okta or Entra ID → SAML → Elido. Twelve minutes from cold start.

SSO routes through WorkOS, which normalises the protocol differences between SAML 2.0 and OIDC and the per-IdP quirks that no one wants to maintain themselves. Your team configures the SAML app once in their IdP; Elido picks up users by email domain → connection mapping.

Step 1
User signs in
okta.com / login.microsoftonline.com
IdP authenticates against the corporate directory.
Step 2
SAML assertion
WorkOS connection · domain-routed
Email-domain → IdP connection mapping, no per-user setup.
Step 3
Elido session
edge auth · 200 OK
Session token issued, scope derived from group claims.
Step 4
Workspace landing
app.elido.app/w/your-org
Role + IP allowlist evaluated; audit row written.

SCIM provisioning

Add a user in Okta. They’re in Elido in five minutes.

SCIM 2.0 directory sync provisions and deprovisions users automatically. Group-claim mapping converts IdP groups into Elido workspace roles, so a promotion in HR’s system rolls into Elido without a ticket. Departing employees are deprovisioned within the SCIM sync cycle, with active sessions revoked and the action logged.

Auto-provision on group add
IdP group membership → workspace invitation, no manual step
Group-claim role mapping
engineering-eu → editor, finance → viewer, configurable
Deprovision = session revoke
DELETE event invalidates tokens; API keys revoked by policy
Every SCIM event is audited
Append-only log with actor, before/after, source IP

SCIM & SSO deep-dive →

SCIM directory sync

workspace · acme-eu

Live · WorkOS

1
User added in Okta
Joins the elido-eu-engineering directory group as part of HR onboarding.
okta.comPOST /scim/v2/Users
T+75s
2
WorkOS pushes to Elido
SCIM sync cycle picks up the create event; no manual invite needed.
workos.com → elido.appscim.create user@org
T+150s
3
Elido provisions the user
Account created, workspace invitation surfaced in pending state.
api-coreuser.id = usr_01HK…
T+225s
4
Group claim → role
engineering → editor; billing-admins → admin. Mapping is configurable.
policyrole: editor (workspace.eu)
T+300s
Deprovision is the same flow in reverse — DELETE event revokes sessions and rotates affected API keys per policy.

Authorization model

Cedar-based RBAC, not a fixed three-tier hierarchy.

The matrix below is the out-of-the-box view. Custom roles let you express things like “create links on this domain only” or “read-only on analytics, no billing access” as Cedar policies. Roles are scoped per workspace, so different business units can run different role structures.

Built-in role permissions

Cedar policies · custom roles override

Permission	Owner	Admin	Member	Read-only	API key
Create / edit links
Manage custom domains
View analytics
Manage billing
Invite & manage members
Rotate API keys

Allowed

Scoped — set via Cedar policy

Denied

Policy eval at request time, not at loginaudit · every change

See security model →Custom roles guide → docs

What enterprise IT actually gets

SAML SSO + SCIM via WorkOS or native — Okta, Entra ID, Google
eu-central-1 default with workspace-level region pin
SOC 2 Type II audit in progress (H2 2026 target)
ISO 27001 achieved; certificate available under NDA
BAA on Business+ for HIPAA-adjacent workloads
Dedicated edge POPs available for Enterprise contracts

What enterprise IT actually needs from a shortener

Shadow-IT shorteners fail procurement on three questions: who has access, where is the data, and can we audit it. The features below are what closes those gaps.

Identity and provisioning

SAML SSO via WorkOS with SCIM user provisioning

SSO is via WorkOS, which supports SAML 2.0 and OIDC against any major IdP: Okta, Azure AD / Entra ID, Google Workspace, OneLogin, Ping, and others. Email-domain → connection mapping means users are routed to the right IdP without any configuration on the user's side. SCIM directory sync provisions and deprovisions users automatically: new employees added to the relevant IdP group get an Elido workspace invitation within minutes; departing employees are deprovisioned within the SCIM sync cycle without a manual offboarding ticket. Groups from the IdP map to Elido workspace roles; you configure the mapping once. Role changes in the IdP propagate automatically. This is a WorkOS-managed integration — we don't maintain a per-IdP connector; WorkOS normalizes the protocols and Elido consumes a single SCIM endpoint.

Authorization model

Custom roles with Cedar-style RBAC — beyond owner/admin/member

Elido's role model is Cedar-based, which means permissions are policy expressions evaluated at request time rather than a fixed three-tier hierarchy. Out of the box you get Owner, Admin, Member, and Viewer. Custom roles let you define policies like 'can create links on this domain but cannot delete or change routing rules' or 'read-only access to analytics but no access to billing settings'. Roles are assigned per workspace, not globally — an enterprise with multiple workspaces can have different role structures per business unit. IP allowlist (CIDR ranges) is evaluated alongside role checks: a user with the right role but outside the allowed IP range is denied. This is relevant for hybrid teams where contractors access a different subset than full-time employees.

Audit and SIEM

Append-only audit log streamed to your SIEM in real time

Every workspace action — link create, update, delete; settings change; member invite and role change; API key issue and rotation; custom domain claim; export — lands in an append-only audit log with actor, timestamp, source IP, before/after diff, and a structured event type. Logs are retained for 90 days on Pro and 7 years on Business. The SIEM firehose streams events via webhook (HMAC-SHA256 signed) to Splunk, Datadog, ELK, or any HTTP receiver in real time. The log is queryable in the dashboard but not editable; the append-only constraint is enforced at the database layer. Compliance posture: the audit log is the primary evidence for access-control reviews, change management, and incident response. A 'retention purge' meta-event is logged when old entries age out, so the gap is itself auditable.

Data governance

EU residency, IP allowlist, and BigQuery export for data governance requirements

Workspace data is pinned to EU (Frankfurt) by default and never leaves that region unless an admin explicitly sets Ashburn or Singapore at workspace creation — an irreversible choice. There is no cross-region replication for hot data. IP allowlist (CIDR) on Business restricts workspace access to known egress ranges — useful for teams on a VPN or fixed office IPs. BigQuery export sends the full click event and audit log stream to a BigQuery dataset you own, on a schedule or triggered. Snowflake and S3 are also supported. For regulated workloads that require data to stay in a specific infrastructure: the self-host Helm chart lets you run the redirect tier in your own VPC, storing click events in your own ClickHouse. HIPAA BAA is available on Business+ — the technical safeguards (encryption, audit trail, access controls, breach-notification) are wired; the BAA is a legal wrapper around them.

Vendor due diligence

Pre-packaged compliance evidence: SOC 2, ISO 27001, DPA, sub-processors

Procurement questions that Elido closes without a long-tail email thread: DPA is pre-signed and downloadable from /legal/dpa; sub-processor list is public at /legal/subprocessors (5 vendors, all EU-domiciled or opt-out available); ISO 27001 is achieved; SOC 2 Type II is in progress with H2 2026 target. We share Type 1 evidence under NDA for customers who need it before the Type 2 report is public. The Trust Center at /trust tracks current certification state and updates on incident history. Vulnerability disclosure is via HackerOne (private program); security.txt is at the well-known path. These are things that already exist, not a roadmap. We're not going to claim SOC 2 Type II until the audit period is closed — expect H2 2026.

Stack you’ll touch

SSO (SAML / OIDC)
SCIM provisioning
Custom roles (RBAC)
IP allowlist
Audit log + SIEM firehose
EU data residency
HIPAA BAA

What your security team measures

Sub-processor count: 5, EU-only
Audit log retention: 7 years on Business
DSAR response time: Under 30 days

Enterprise IT teams running on this

Names are placeholders for now — real customer names land here as case studies are published.

“Okta SCIM sync and the IP allowlist closed our procurement checklist in the first review. The audit log streaming to Splunk was the detail that made the security team comfortable — they could see it was real, not a vendor checkbox.”

IT security team, insurance group, Zurich

IT Security Manager

“We needed EU-resident data and no US sub-processors after Schrems II. Elido was the first shortener that answered 'where is the data stored?' with a specific city and a sub-processor count under 10.”

Corporate IT, mid-market manufacturing, Dusseldorf

Head of IT Governance

“BAA on Business plus ISO 27001 closed the HIPAA angle for our US product team. SCIM provisioning means we didn't have to touch Elido onboarding during a 200-person acquisition integration.”

Platform security team, fintech, Dublin

Director of Platform Security

Elido vs Bitly Enterprise vs Bl.ink for enterprise IT

Bitly Enterprise and Bl.ink are both enterprise-grade options with long install bases. The comparison below focuses on the features enterprise IT teams evaluate, not marketing claims.

Capability	Elido	Bitly Enterprise	Bl.ink
SSO protocol	SAML 2.0 + OIDC via WorkOS	SAML 2.0 on Enterprise tier	SAML 2.0 on Enterprise
SCIM provisioning	Business and above, via WorkOS	Enterprise tier only	Available on Enterprise
Custom roles (RBAC)	Cedar-based policy expressions	Fixed role tiers	Granular, documented
IP allowlist	CIDR, Business+	Enterprise only	Available
Audit log → SIEM	Real-time webhook firehose	Daily export; real-time Enterprise add-on	API-based; SIEM wiring manual
Audit log retention	7 years on Business	1 year standard	Configurable on Enterprise
EU data residency	Default for all plans	Opt-in on Enterprise	Available; not default
BigQuery export	Scheduled, Business+	Not documented	API-based; no native export

Enterprise IT questions

Which IdPs does SSO support?

Any IdP that supports SAML 2.0 or OIDC — Okta, Azure AD / Entra ID, Google Workspace, OneLogin, Ping, Rippling, and others. The integration is via WorkOS, which normalizes protocol differences. If your IdP speaks SAML or OIDC, it works. Setup is a WorkOS-guided flow: configure the SAML app in your IdP, paste the metadata URL into Elido, done.

How does SCIM deprovisioning work?

WorkOS handles the SCIM 2.0 endpoint. When a user is removed from the relevant group in your IdP, WorkOS pushes a DELETE event to Elido. Elido immediately revokes the user's session tokens and marks the account inactive. Active API keys associated with that user are not automatically revoked — that's a separate step you configure in SCIM settings, defaulting to revoke-on-deprovision. The deprovision action appears in the audit log within the SCIM sync cycle (typically under 5 minutes).

What does the IP allowlist cover?

Dashboard login, API requests, and webhook delivery confirmation. CIDR notation is supported; multiple ranges are comma-separated. Requests from outside the allowlist return a 403 with a logged audit event — no silent drops. IP allowlist is evaluated after authentication, not before, so failed auth from outside the allowlist still logs the attempt.

Can we get a BAA for HIPAA compliance?

Yes, on Business+. The BAA covers Elido's role as a business associate for workspaces where PHI might pass through link metadata or analytics. The technical safeguards (encryption at rest and in transit, audit trail, access controls, breach notification) are already in place. Contact compliance@elido.app for the BAA template.

What's the SOC 2 status?

SOC 2 Type II audit is underway with a H2 2026 target. ISO 27001 is achieved. We share Type 1 evidence under NDA for customers who need it before the Type 2 report is published. Trust Center at /trust tracks current state. We won't claim Type II until the audit period is closed.

How do custom roles work — can I restrict a team to read-only on a specific domain?

Yes. Custom roles define Cedar-based policies that can scope permissions to specific domains, specific folders, or specific operations (create/read/update/delete). A role that allows link creation only on a specific custom domain and read-only analytics access is a valid policy. Roles are per-workspace; a user can have different roles in different workspaces. Policy evaluation happens at request time, not at login.

Is there a dedicated edge option for Business customers?

The Business tier uses Elido's shared edge POPs (Frankfurt, Ashburn, Singapore). A dedicated edge — your own fleet of redirect nodes, traffic-isolated from other tenants — is an Enterprise conversation. Contact sales@elido.app. Alternatively, the self-host Helm chart lets you run the redirect tier in your own VPC, which is a common pattern for Enterprise customers with strict traffic isolation requirements.

What's the breach notification SLA?

24 hours customer notification on confirmed personal-data breaches; 72 hours regulator notification (GDPR Art. 33). Notification covers what we know at that point — we don't hold for full forensics. Process is at /trust/incident-response.