Access Reviews
Access reviews that run on a schedule — not on your team's last nerve
ComplyJet automates the data collection, the workflow, and the reminders so your access reviews actually happen — and auditors actually accept them. Especially useful for teams running compliance for the first time without a dedicated security hire.
Automated access pulls
No more exporting CSVs from every system the week before your review
Access reviews require pulling current user lists from every system, comparing against your HR records, and documenting who has what access and why. ComplyJet automates the data collection — so your review starts with a complete, current picture, not a manual export.
AWS, GitHub, Okta, Google Workspace - access data pulled automatically from every connected system
Cross-referenced against HR records - stale or unexpected access flagged before the review even starts
Always current - no screenshots, no spreadsheets, no manual export coordination
Structured review workflow
Review access the right way - with a clear process and a paper trail
Auditors don't just want to know that you reviewed access — they want to see how you did it. ComplyJet runs access reviews through a structured workflow: reviewers assigned, approvals logged, revocations tracked, and a complete audit trail produced automatically.
Reviewers assigned per system or team - each access decision logged with approver and timestamp
Revocation tasks tracked to completion - not just flagged, but followed through with evidence
Full audit trail auto-generated - the report your auditor needs is ready before they ask
Never miss a review
Quarterly reviews shouldn't require a calendar reminder and three Slack messages
Most startups miss access review deadlines because there's no system that enforces them. ComplyJet schedules your reviews, notifies the right people when they're due, and tracks completion — so the review happens on time, every time, without manual coordination.
Configurable review schedule - quarterly for privileged access, annual for standard users, per framework
Automated reminders - reviewers notified when due, escalated if overdue
Completion tracked at program level - see which systems are reviewed and which are overdue at a glance
Key capabilities
Everything you need to run access reviews that hold up under audit
From data collection to audit-ready evidence — all in one workflow, included in your plan.
Automated access data collection
Pull current user access lists automatically from every connected system — no manual CSV exports or API calls required.
HR record reconciliation
Cross-reference access against your current employee and contractor list from your HR tool to flag terminated or role-changed users.
Structured review workflows
Assign reviewers per system, capture approve or revoke decisions, and log every action with a timestamp and auditor-ready record.
Revocation tracking
Revocation tasks created automatically for any access flagged as inappropriate — tracked to closure, not just noted.
Scheduled review reminders
Configure review frequency per framework and system — automated reminders ensure reviews happen on time without manual chasing.
Multi-system coverage
Cloud platforms, identity providers, code repos, SaaS tools — all covered in one workflow across 350+ connected integrations.
Historical review records
Every completed review preserved in full — reviewers, decisions, timestamps, and revocations. Ready for your auditor on demand.
Audit-ready evidence export
Export completed access reviews in the exact format your auditor expects — no reformatting or manual compilation needed.
Framework requirements
Access reviews are required — not optional
Every major compliance framework mandates periodic access reviews. Here's exactly which controls require them — and what auditors check for.
SOC 2
Trust Services Criteria
CC6.2
Access provisioned based on authorised roles — and removed promptly when roles change or employees leave
CC6.3
Periodic reviews to confirm users still need their current access level — documented with approver sign-off
CC6.6
Logical access restricted by least-privilege — privileged access reviewed more frequently (typically quarterly)
ISO 27001
Annex A Controls
A.5.18
Access rights assigned, reviewed, and removed in line with access control policy — evidence required for each review cycle
A.5.15
Access control enforced based on business and security requirements — formal review process must be documented and repeatable
A.8.2
Privileged access rights managed separately and subject to more frequent review and tighter controls than standard users
HIPAA
Security Rule
§164.308(a)(4)
Information access management — policies and procedures for authorising access to ePHI, reviewed and updated regularly
§164.312(a)(1)
Technical access controls on all systems handling ePHI — unique user identification, access logs, and periodic reviews required
§164.308(a)(3)
Workforce access management — termination procedures and access revocation must be documented and verifiable
Priced for startups, not enterprises
Access reviews included in your plan — not a bolt-on
One flat fee per company. No per-seat pricing. No add-ons for access reviews. Your price stays the same whether you're a 5-person team or a 45-person startup.
For startups up to 50 employees — no per-seat pricing, no surprises as you grow.
Single framework
$5,000/year
Full platform — automated access reviews, evidence collection, continuous monitoring, policy templates, audit workspace, and Trust Center.
Two frameworks
$8,000/year
e.g. SOC 2 + ISO 27001 — one access review workflow satisfies both frameworks simultaneously, same flat price.
See full pricing details →
See the access review workflow in action
Book a 30-minute demo. We'll walk you through the full workflow — from first integration to audit-ready export — for your specific framework.
Book a Demo →
Full platform
Access reviews connect to your full compliance program.
Every feature below is included in your ComplyJet plan — no bolt-ons, no extra modules to configure.
Compliance Automation
Connect your stack, automate evidence, and monitor controls 24/7 — your entire compliance program on autopilot.
Learn more →
Risk Management
Track threats, map them to controls, and keep your risk register audit-ready at all times.
Learn more →
Policy Management
AI-drafted policies distributed and acknowledged by your team, all tied to active controls.
Learn more →
Employee Compliance
Track background checks, training completion, and policy acknowledgements in one place.
Learn more →
Audit Management
Give auditors a pre-populated workspace. Fewer requests, faster close, no last-minute scramble.
Learn more →
Vulnerability Management
Sync vulnerabilities from Snyk, AWS Inspector, and Wiz directly into your compliance program.
Learn more →
Customer stories
Startups that went from zero to compliant with ComplyJet
Access documented before the auditor asks.
FAQ
Common questions about access reviews
What systems can ComplyJet pull access data from?
ComplyJet connects to AWS IAM, Google Workspace, Okta, GitHub, GitLab, Azure AD, Slack, Jira, and 350+ other tools. Any system you've connected to your compliance program is available for access reviews — including SaaS tools, cloud platforms, and identity providers.
How often do access reviews need to happen?
It depends on your framework. SOC 2 typically expects quarterly reviews for privileged access and annual reviews for standard users. ISO 27001 and HIPAA have similar requirements. ComplyJet configures the schedule to match your framework requirements and reminds the right people automatically. For startups going through this for the first time, most ComplyJet customers reach audit-ready in 8-12 weeks.
What happens when the review flags someone's access as inappropriate?
ComplyJet creates a revocation task, assigns it to the right owner, and tracks it to completion. The review isn't marked complete until all flagged items are resolved — giving your auditor a clean record of every decision made and every access removed.
Can multiple people review different systems at the same time?
Yes. You can assign reviewers at a system level, team level, or per individual user. For systems owned by different teams, multiple reviewers can run their portion of the review concurrently — the platform tracks overall completion across all of them. Most ComplyJet customers are startups where a founder, CTO, or engineering lead owns compliance alongside their main job — so distributing review tasks across the team matters.
Does this cover contractor access, not just employees?
Yes. ComplyJet tracks contractor access alongside employee access — including time-limited access that should be revoked when contracts end. Terminations in your HR tool can trigger immediate access review tasks automatically.
How is ComplyJet different from Vanta or Drata for access reviews?
Vanta includes access reviews at enterprise-tier pricing. Drata charges extra for the feature. ComplyJet includes access reviews in the base plan — the same flat fee covering everything else. For a 20-person startup, paying thousands extra per year just to document who has access to what doesn't make sense when you're running lean. The access review workflow in ComplyJet is integrated with your identity provider, so the evidence is already there when your auditor asks.
Run your first automated access review
30 minutes. We'll show you the full workflow — from first integration to audit-ready report — for your specific framework. Built for teams doing this for the first time. No commitment required.
Book a Demo →
.svg){kind=logo}
.png)
.png)
.png)
