Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.matproof.com/llms.txt

Use this file to discover all available pages before exploring further.

Overview

The People module is where you manage the humans in your compliance program — employees, contractors, and team members. It is separate from user accounts: someone can be tracked as an employee in People without having a Matproof login. Key use cases:
  • Access review evidence for ISO 27001 A.8.2 and SOC 2 CC6.2
  • Security awareness training tracking and attestation
  • Offboarding checklists to ensure access is revoked on departure
  • Device inventory for ISO 27001 asset management and DORA endpoint security

The People dashboard

Go to People → Dashboard for a real-time compliance overview of your workforce:
  • Training completion rate across the team
  • Offboarding tasks past due
  • Devices with unresolved compliance issues
  • Access reviews due or overdue
Bookmark the People dashboard for your quarterly management review — the completion rates and open tasks make strong evidence of an active compliance program.

Adding employees

Manual entry

  1. Go to People → All
  2. Click Add person
  3. Fill in name, email, role, and department
  4. Optionally set their start date and manager

Import from Google Workspace or Microsoft 365

If you have the Google Workspace or Microsoft 365 integration connected, you can sync your directory automatically:
  1. Go to Settings → Integrations and connect Google Workspace or Azure AD
  2. Go to People → All → Import
  3. Select your connected directory and click Sync
Matproof maps directory users to People records and keeps them in sync. New hires and departures are reflected automatically.
Importing from your HR system is the recommended approach for teams larger than 10. It eliminates manual data entry and ensures your People list stays current.

Employee profile

Each employee record tracks:
FieldPurpose
Name and emailIdentity and communication
Role / departmentUsed to scope access reviews and training assignments
Start dateTriggers onboarding task checklists
ManagerUsed for offboarding approval flows
Access rightsList of systems and permissions (for access review evidence)
Training statusCompletion status of assigned security training
DevicesLinked company devices
StatusActive / Offboarding / Offboarded

Tracking security training

Assign training to employees and track completion:
  1. Open an employee record → Training tab
  2. Click Assign training
  3. Select the training module (security awareness, GDPR, acceptable use policy, etc.)
  4. Set a due date
  5. The employee receives an email with a link to complete it
Matproof records completion timestamps and generates a training log you can export as evidence for auditors.
Assign security awareness training to all employees at least once a year. ISO 27001 A.6.3 and SOC 2 CC1.4 both require documented training.

Running access reviews

Access reviews demonstrate that only the right people have access to the right systems — a core requirement for ISO 27001, SOC 2, and NIS 2.
  1. Go to People → All → click Start access review
  2. Select scope: all employees or a specific department
  3. Reviewers (typically managers) confirm or revoke access for each system
  4. Matproof generates a timestamped access review report when complete
Access reviews must be completed, not just started. Auditors look for the completed report with reviewer sign-off. Incomplete reviews can be a finding.

Offboarding

When an employee leaves:
  1. Open their record → click Start offboarding
  2. Matproof generates a checklist: revoke system access, collect devices, archive accounts, notify HR, etc.
  3. Each task is assigned to a responsible person with a due date
  4. Mark tasks complete as they are done
  5. Close the offboarding when all tasks are done
The completed offboarding record serves as evidence that access was revoked in a timely manner.

Devices

Go to People → Devices to see every device registered against an employee, what compliance signals it’s reporting, and any open vulnerabilities.

How devices get into Matproof

Three ways:
  1. Matproof Device Agent (recommended) — install the Matproof Device Agent on each user’s machine. The agent reports endpoint compliance signals every hour (FileVault, screen lock, OS patch level, antivirus, firewall, MDM enrollment) plus a 6-hourly software inventory matched against the NVD CVE database. This is the path that produces actual evidence on endpoint controls.
  2. MDM sync — if you operate an MDM (Jamf, Kandji, Microsoft Intune), connect it as an integration. Matproof imports the device list and combines it with what the device agent reports.
  3. Manual entry — for devices that can’t run the agent (Linux until GA, vendor-managed machines), add them by hand for asset-inventory purposes.
The Matproof Device Agent and an external MDM are not mutually exclusive — use the agent for compliance signals and the MDM for fleet management; Matproof reconciles them.

What’s tracked per device

FieldCompliance relevance
Device name and typeAsset inventory (ISO 27001 A.8.1)
Assigned toLinks device to employee
OS and version, patch freshnessDORA Article 9, ISO 27001 A.8.8
Encryption (FileVault / BitLocker)ISO 27001 A.8.24, DORA Article 9, HIPAA 164.312(a)(2)(iv)
Screen lock and idle timeoutISO 27001 A.7.7, SOC 2 CC6.6
Firewall statusISO 27001 A.8.20, NIS 2 Article 21
Antivirus + signature freshnessISO 27001 A.8.7
MDM enrollmentValidated by the agent, optionally sourced from external MDM
vulnerableAppsCountCVE-matched installed software (Tier 3A); ISO 27001 A.8.8, PCI DSS 6.3.1
Last seenActivity tracking
Failed checks and high-severity CVEs raise Findings automatically and surface against the relevant control.

Matproof Device Agent

The agent that produces endpoint compliance evidence

ISO 27001 A.8

Asset inventory + endpoint security control family