Entity Types in Riskflow

This document outlines the different types of entities in the Riskflow application and their roles within the ecosystem.

Managed Service Providers (MSPs)

Managed Service Providers (MSPs) operate directly under Riskflow and are responsible for managing multiple organizations. An MSP is essentially a team of users whose user_type is MSP.

Each MSP team consists of the following roles:

• MSP Super Admin
• MSP User
• MSP Auditor

Note: A user’s access to organizations is independent of their specific role. However, the role determines what actions the user can perform within their authorized organizations.

Organizations (a.k.a. Tenants)

Organizations, also referred to as tenants, can either be:

• directly affiliated with Riskflow, or
• managed under an MSP.

They are teams of users with the user_type set to Organization.

Organizations cannot manage other entities (unlike MSPs), but they can manage their own team members, depending on the role.

Each organization team consists of the following roles:

• Org Admin
• Org Auditor
• Employee
• Security Analyst
• Compliance Analyst

Organizations are responsible for creating and managing projects based on compliance frameworks, such as:

• HIPAA
• GDPR
• SOC 2

Each framework includes specific modules or project types. For example, under HIPAA, the organization can manage:

• Security Risk Assessment (SRA)
• Business Associate Agreement (BAA)
• Policies and Procedures (PnP)

Vendors

Vendors are external individuals invited by organizations to sign Business Associate Agreements (BAAs).

Key characteristics:

• Vendors cannot self-register and do not receive login credentials.
• They access a simplified vendor dashboard via magic link authentication, only if they have received an invitation from at least one organization.
• Within the dashboard, vendors can:
  • View BAAs from each organization.
  • Sign documents (once).
  • Download signed documents.
  • They cannot edit the documents.

Users

Users represent all individuals on the platform except vendors.

User flow and roles:

• A user can register as part of an Organization or an MSP.
• If they are the first user of their team, they must wait for owner approval (self or internal approval depending on flow).
• A user cannot register as part of an MSP-managed organization unless explicitly invited.
• By default, organizations are created under Riskflow management unless assigned to an MSP.