Plans & billing

This page covers the plan tiers, exactly how plan enforcement works, and how billing is handled. For current prices and the full feature matrix, the pricing page is the source of truth — this page is the admin’s mechanical view.

1. The tiers

• Free — 100 devices and 3 users, forever. WireGuard mesh, MagicDNS, ABAC policies, device posture (at connect), DNS filtering, the AI assistant, and remote SSH are included.
• Business — per-user pricing with unlimited devices and a 60-day free trial (no card). Adds SCIM, continuous posture, workforce analytics, DLP, CASB, remote desktop, and longer audit retention.
• Workforce — custom, for larger / regulated deployments; the deepest workforce-security and retention options.

Exact prices and limits change — the pricing page is canonical.

2. How plan enforcement works

Every gated handler calls requireFeature(db, org_id, '<feature>', request), which resolves the org’s effective plan and checks the plan_features table:

  requireFeature(org, feature)
        │
        ▼
   billing_subscriptions → resolveEffectivePlan()
     trialing & not expired → trial plan
     trialing & expired     → free
     paid & period expired / inactive status → free
     (no subscription)      → inherit parent org's plan, else free
        │
        ▼
   plan_features WHERE plan = <effective> AND enabled = true
        │
   feature in list? ── yes → allowed (null)
                     └ no  → 403 FEATURE_GATED  "requires an upgraded plan"
        │
   result cached in Valkey (key features:<org_id>, 600s TTL)

The cache is shared with the dashboard’s feature-check and invalidated when a subscription or plan_features row changes — so the dashboard, CLI, and API always agree.

3. Feature-flag reference

Each admin capability is gated by a named feature flag. Which plan includes which flag is defined in plan_features (and shown on pricing); the flags themselves are:

Feature flag	Gates	Page
dns_filtering	DNS threat/category filtering	DNS filtering
casb	Shadow-IT discovery & app policy	CASB
dlp	File-scan data-loss detection	DLP
scim	SCIM 2.0 provisioning	Identity
workforce_analytics	Sessions, schedule, productivity, inventory	Workforce analytics
user_risk_scoring	Seven-factor user risk	Workforce analytics
remote_shell	Remote SSH/shell (enabled on all plans)	Remote access
remote_desktop	WebRTC remote desktop	Remote access
secrets_vault	Encrypted secrets vault	Observability
compliance_reports	Drift evaluation + signed reports	Observability
nl_acl_builder, event_summarizer, incident_response, ai_chat, ai_actions	AI Operator capabilities	AI Operator

Posture, ACLs, and the mesh are part of the baseline and are not paid-gated (posture enforcement modes and continuous re-evaluation differ by plan).

4. How the trial works

The Business trial runs 60 days with all Business features and no credit card. At the end the org auto-downgrades to Free (via the expire-trials job); no data is deleted — paid features simply gate down. Extend a trial through sales if a pilot needs more runway.

5. Billing

Billing is handled via Razorpay, with custom invoicing for larger contracts. Manage your subscription from the dashboard’s billing area (/api/manage-subscription); checkout is created via /api/create-checkout, and subscription state is reconciled by the Razorpay webhook. Changes apply immediately.

6. Verification & troubleshooting

• A paid call returns 403 FEATURE_GATED → that feature isn’t in the org’s effective plan; upgrade, or check the trial hasn’t expired.
• Upgraded but still gated → wait up to 600 s for the entitlement cache, or confirm the subscription status is active.
• Child org missing features → ensure the parent org’s subscription carries them (children inherit).
• Trial ended unexpectedly → check trial_ends_at; the org falls back to Free automatically.

7. Next

• Pricing page — current prices and the full feature matrix.
• Admin guide home — the rest of the administration topics.