customers
/
blackpanda
customers
/
blackpanda
How Blackpanda built a compliance-ready access control foundation across 40+ applications
How Blackpanda built a compliance-ready access control foundation across 40+ applications
How Blackpanda built a compliance-ready access control foundation across 40+ applications
From fragmented SaaS access to a structured, audit-ready access control layer that enabled SOC 2 and ISO 27001 certification.
From fragmented SaaS access to a structured, audit-ready access control layer that enabled SOC 2 and ISO 27001 certification.
From fragmented SaaS access to a structured, audit-ready access control layer that enabled SOC 2 and ISO 27001 certification.
Blackpanda
Company
Company
Blackpanda
Industry
Industry
Cyber incident response & insurance
Size
Size
55 employees across Singapore, Malaysia, Hong Kong, the Philippines and Japan
It ownership
It ownership
No dedicated IT function (operational ownership across teams)
Stack
Google workspace
BambooHR
Jira
HubSpot
JumpCloud
Databricks
+ 42 total applications
Interviewee
Interviewee
Brendan Laws, Chief Operating Officer
“
ShiftControl gives growing teams clear, automated control over who can access what — without enterprise complexity.
Brendan Laws
Chief Operating Officer at Blackpanda
When Brendan joined Blackpanda, he viewed the environment through a cybersecurity lens.
The business had grown quickly. With 42 applications in use — spanning Google Workspace, BambooHR, Jira/Confluence, HubSpot, JumpCloud, Slack, Databricks and more — identity and access management had become increasingly manual and fragmented.
Provisioning and deprovisioning relied on:
Tribal knowledge
Checklists and follow-ups
Cross-team coordination
Manual system updates
There was no single system providing clear visibility into who had access to what. Least-privilege enforcement was inconsistent. Role changes required effort. Offboarding carried risk.
As scale increased, so did operational drag and security exposure.
In a cybersecurity company operating across jurisdictions, that gap carried real operational and regulatory implications. As an incident response firm that deals with breaches across the region, the team sees first-hand how often compromised identities and weak access controls are the entry point for attacks. That reality made it clear that strengthening identity and access governance internally needed to be a priority. Regulatory scrutiny was also inevitable. The leadership team knew SOC 2, ISO 27001, and GDPR alignment would become necessary — and access control could not remain informal. It needed to be systematic, role-aligned, and auditable before entering formal certification processes.
Before and after ShiftControl
❌ Before | ✅ After |
Manual provisioning across 42 applications | Automated joiner and leaver flows orchestrated through ShiftControl |
No unified visibility into access | Centralized view of access across the SaaS stack |
Blurred IT ownership | Structured access governance without needing a dedicated IT team |
Risk of lingering access | Consistent, automated deprovisioning |
Reactive access management | Controlled, predictable, audit-ready processes |
Why ShiftControl
ShiftControl aligned with how Blackpanda operates.
There is no dedicated IT department. While the team is operationally strong, they needed a system that did not depend on specialist IAM ownership to function effectively.
ShiftControl fit naturally into their Google Workspace–first environment and introduced structure without enterprise IAM complexity or the need for a full-time identity engineer.
At the core was orchestration: BambooHR driving lifecycle events, with ShiftControl coordinating provisioning and deprovisioning across Google Workspace, JumpCloud, and connected SaaS applications. This architecture was recommended by the ShiftControl team based on Blackpanda’s environment and growth plans, and implemented together as part of the rollout.
It provided:
Automated joiner and leaver workflows triggered from HRIS
Orchestrated provisioning across Google Workspace and JumpCloud
Role-based access standardization aligned to real operational workflows
Clear visibility into who has access to what across 42 applications
Governance that scales without adding headcount
Beyond access control, Blackpanda also consolidated parts of its stack through ShiftControl as an official reseller — offering Google Workspace and selected tools directly at competitive rates while keeping governance centralized.
“
We don’t have a dedicated IT team, so whatever we implemented had to work without an identity specialist managing it day to day.
Brendan Laws
Chief Operating Officer at Blackpanda
Structured Implementation
The rollout focused on mapping roles to systems, defining access baselines, and embedding least-privilege principles directly into provisioning logic.
Joiner and leaver workflows were standardized so that lifecycle events originating in BambooHR triggered coordinated access changes across Google Workspace, JumpCloud, and other connected systems. This reduced dependency on checklists and individual memory.
“The onboarding process felt straightforward and methodical, which was reassuring given how nuanced access management can be when done properly.”
Because Blackpanda operates in a security-sensitive, multi-country environment, implementation prioritized auditability and traceability from the outset — ensuring access decisions could be explained and evidenced if required.
Over the past 12 months, Blackpanda also engaged as a design partner, providing feedback that helped refine workflows and edge cases specific to contractor access and regional operations.
“Whenever something hasn’t been clear or hasn’t worked as expected, the team has jumped in immediately to engage, explain, and resolve it. That level of responsiveness made the relationship feel collaborative rather than transactional.”
Enabling the Compliance Journey
After implementing ShiftControl and stabilising access governance, Blackpanda successfully achieved SOC 2 Type II and ISO 27001, and is actively progressing through GDPR requirements across multiple jurisdictions.
Logical access control, offboarding, least privilege, and audit traceability are foundational domains across these frameworks. Prior to ShiftControl, demonstrating consistent enforcement across 42 applications would have been manual and difficult to evidence.
“To pass serious audits, access control can’t be informal. You need to show it’s systematic, role-based, and consistently enforced.”
ShiftControl provided:
Consistent, auditable provisioning and deprovisioning
Centralized visibility into application ownership and access assignments
Structured, documented offboarding workflows
Enforced least-privilege baselines aligned to defined roles
Reduced reliance on informal or undocumented access processes
By embedding access governance into daily operations before entering certification, compliance became significantly easier to evidence and defend. Rather than retrofitting controls for audit, Blackpanda could demonstrate that structured access control was already operational.
“Having access properly controlled before entering certification made the compliance journey far more straightforward.”
The Results So Far
1. Fast, controlled provisioning
Provisioning and deprovisioning application access is now extremely fast and consistent, including for contractors and interns.
2. Reduced offboarding risk
Automated deprovisioning significantly reduces the likelihood of lingering access or missed offboarding steps.
“Knowing that application access is consistently provisioned and removed removes a significant source of worry.”
3. Clearer ownership and visibility
Access ownership and boundaries are visible and structured, reducing ambiguity across teams.
4. Operational calm
Access control is no longer a background concern. It is predictable, structured, and defensible.
“That confidence alone makes the platform valuable, because it turns access from a constant concern into a controlled, predictable process.”
“
To pass serious audits, access control can’t be informal. You need to show it’s systematic, role-based, and consistently enforced.
Brendan Laws
Chief Operating Officer at Blackpanda
In Their Words
If someone asked “should I use ShiftControl?” – what would you say?
“Yes — especially if you don’t have a dedicated IT team and you’re starting to feel the risk and friction of SaaS sprawl. It gives you control over access, onboarding, and offboarding without needing an identity specialist.”
One word to describe the experience?
“Reassuring.”
Take control of your SaaS stack
Book a demo to see how it could work for your team
Take control of your SaaS stack
Book a demo to see how it could work for your team
Take control of your SaaS stack
Book a demo to see how it could work for your team
How Blackpanda built a compliance-ready access control foundation across 40+ applications
From fragmented SaaS access to a structured, audit-ready access control layer that enabled SOC 2 and ISO 27001 certification.
Blackpanda
Company
Blackpanda
Industry
Cyber incident response & insurance
Size
55 employees across Singapore, Malaysia, Hong Kong, the Philippines and Japan
It ownership
No dedicated IT function (operational ownership across teams)
Stack
Google workspace
BambooHR
Jira
HubSpot
JumpCloud
Databricks
+ 42 total applications
Interviewee
Brendan Laws, Chief Operating Officer
“
ShiftControl gives growing teams clear, automated control over who can access what — without enterprise complexity.
Brendan Laws
Chief Operating Officer at Blackpanda
When Brendan joined Blackpanda, he viewed the environment through a cybersecurity lens.
The business had grown quickly. With 42 applications in use — spanning Google Workspace, BambooHR, Jira/Confluence, HubSpot, JumpCloud, Slack, Databricks and more — identity and access management had become increasingly manual and fragmented.
Provisioning and deprovisioning relied on:
Tribal knowledge
Checklists and follow-ups
Cross-team coordination
Manual system updates
There was no single system providing clear visibility into who had access to what. Least-privilege enforcement was inconsistent. Role changes required effort. Offboarding carried risk.
As scale increased, so did operational drag and security exposure.
In a cybersecurity company operating across jurisdictions, that gap carried real operational and regulatory implications. As an incident response firm that deals with breaches across the region, the team sees first-hand how often compromised identities and weak access controls are the entry point for attacks. That reality made it clear that strengthening identity and access governance internally needed to be a priority. Regulatory scrutiny was also inevitable. The leadership team knew SOC 2, ISO 27001, and GDPR alignment would become necessary — and access control could not remain informal. It needed to be systematic, role-aligned, and auditable before entering formal certification processes.
Before and after ShiftControl
❌ Before | ✅ After |
Manual provisioning across 42 applications | Automated joiner and leaver flows orchestrated through ShiftControl |
No unified visibility into access | Centralized view of access across the SaaS stack |
Blurred IT ownership | Structured access governance without needing a dedicated IT team |
Risk of lingering access | Consistent, automated deprovisioning |
Reactive access management | Controlled, predictable, audit-ready processes |
Why ShiftControl
ShiftControl aligned with how Blackpanda operates.
There is no dedicated IT department. While the team is operationally strong, they needed a system that did not depend on specialist IAM ownership to function effectively.
ShiftControl fit naturally into their Google Workspace–first environment and introduced structure without enterprise IAM complexity or the need for a full-time identity engineer.
At the core was orchestration: BambooHR driving lifecycle events, with ShiftControl coordinating provisioning and deprovisioning across Google Workspace, JumpCloud, and connected SaaS applications. This architecture was recommended by the ShiftControl team based on Blackpanda’s environment and growth plans, and implemented together as part of the rollout.
It provided:
Automated joiner and leaver workflows triggered from HRIS
Orchestrated provisioning across Google Workspace and JumpCloud
Role-based access standardization aligned to real operational workflows
Clear visibility into who has access to what across 42 applications
Governance that scales without adding headcount
Beyond access control, Blackpanda also consolidated parts of its stack through ShiftControl as an official reseller — offering Google Workspace and selected tools directly at competitive rates while keeping governance centralized.
“
We don’t have a dedicated IT team, so whatever we implemented had to work without an identity specialist managing it day to day.
Brendan Laws
Chief Operating Officer at Blackpanda
Structured Implementation
The rollout focused on mapping roles to systems, defining access baselines, and embedding least-privilege principles directly into provisioning logic.
Joiner and leaver workflows were standardized so that lifecycle events originating in BambooHR triggered coordinated access changes across Google Workspace, JumpCloud, and other connected systems. This reduced dependency on checklists and individual memory.
“The onboarding process felt straightforward and methodical, which was reassuring given how nuanced access management can be when done properly.”
Because Blackpanda operates in a security-sensitive, multi-country environment, implementation prioritized auditability and traceability from the outset — ensuring access decisions could be explained and evidenced if required.
Over the past 12 months, Blackpanda also engaged as a design partner, providing feedback that helped refine workflows and edge cases specific to contractor access and regional operations.
“Whenever something hasn’t been clear or hasn’t worked as expected, the team has jumped in immediately to engage, explain, and resolve it. That level of responsiveness made the relationship feel collaborative rather than transactional.”
Enabling the Compliance Journey
After implementing ShiftControl and stabilising access governance, Blackpanda successfully achieved SOC 2 Type II and ISO 27001, and is actively progressing through GDPR requirements across multiple jurisdictions.
Logical access control, offboarding, least privilege, and audit traceability are foundational domains across these frameworks. Prior to ShiftControl, demonstrating consistent enforcement across 42 applications would have been manual and difficult to evidence.
“To pass serious audits, access control can’t be informal. You need to show it’s systematic, role-based, and consistently enforced.”
ShiftControl provided:
Consistent, auditable provisioning and deprovisioning
Centralized visibility into application ownership and access assignments
Structured, documented offboarding workflows
Enforced least-privilege baselines aligned to defined roles
Reduced reliance on informal or undocumented access processes
By embedding access governance into daily operations before entering certification, compliance became significantly easier to evidence and defend. Rather than retrofitting controls for audit, Blackpanda could demonstrate that structured access control was already operational.
“Having access properly controlled before entering certification made the compliance journey far more straightforward.”
The Results So Far
1. Fast, controlled provisioning
Provisioning and deprovisioning application access is now extremely fast and consistent, including for contractors and interns.
2. Reduced offboarding risk
Automated deprovisioning significantly reduces the likelihood of lingering access or missed offboarding steps.
“Knowing that application access is consistently provisioned and removed removes a significant source of worry.”
3. Clearer ownership and visibility
Access ownership and boundaries are visible and structured, reducing ambiguity across teams.
4. Operational calm
Access control is no longer a background concern. It is predictable, structured, and defensible.
“That confidence alone makes the platform valuable, because it turns access from a constant concern into a controlled, predictable process.”
“
To pass serious audits, access control can’t be informal. You need to show it’s systematic, role-based, and consistently enforced.
Brendan Laws
Chief Operating Officer at Blackpanda
In Their Words
If someone asked “should I use ShiftControl?” – what would you say?
“Yes — especially if you don’t have a dedicated IT team and you’re starting to feel the risk and friction of SaaS sprawl. It gives you control over access, onboarding, and offboarding without needing an identity specialist.”
One word to describe the experience?
“Reassuring.”
Take control of your SaaS stack
Book a demo to see how it could work for your team
Ask AI about ShiftControl
Ask AI about ShiftControl
Ask AI about ShiftControl
Ask AI about ShiftControl
ShiftControl – Built on IT and security best practices
ShiftControl
ShiftControl
© 2025 Shift Control Pte. Ltd. All rights reserved.