Skip to content
BlogCase Studies

Case Study: How Canopy Analytics Passed SOC 2 by Replacing Shared API Keys with Named Access

A SaaS company scaling from 5 to 50 employees achieved full tool call attribution, passed their SOC 2 audit, and eliminated shared API key sprawl with role-based access controls.

Pipeworks Team·

Company Profile

Canopy Analytics is a B2B SaaS company in Chicago that provides predictive analytics dashboards for mid-market sales teams. Founded in 2023, they grew from 5 employees to 52 in under two years. Their product integrates with customers' CRMs and communication tools, and internally they rely heavily on Salesforce for their own pipeline, SendGrid for customer communications, Stripe for billing, and a Memory-based knowledge store for their internal AI workflows.

Like many fast-growing startups, their internal tooling evolved organically. What started as a few shared API keys in a team password manager became an ungovernable sprawl of credentials with no audit trail.

The Problem

Canopy's integration access grew with the company, but their access controls did not.

The Shared Key Problem

When Canopy had 5 employees, a single Stripe API key pinned in the team Slack channel was fine. Everyone knew who was doing what. By the time they hit 30 employees across engineering, sales, customer success, and finance, they had:

  • 4 Stripe API keys shared across 14 people, with no record of who created them or why
  • 3 Salesforce connected apps used by an unknown number of team members
  • 2 SendGrid API keys — one for production emails, one "for testing" that was also being used in production
  • Zero attribution on any tool call made through their AI agents

When the finance team asked "Who issued that $2,400 credit to Oakmont Industries last Tuesday?", the answer was always the same: "We do not know."

The SOC 2 Wake-Up Call

In Q3 2025, Canopy began preparing for their SOC 2 Type II audit — a requirement from three enterprise prospects representing $840,000 in combined annual contract value. Their auditor reviewed Canopy's internal tool access and flagged four critical findings:

Warning

SOC 2 Audit Findings:

  1. Shared credentials with no individual accountability
  2. No access review or deprovisioning process for departing employees
  3. No activity logs for sensitive operations (billing, customer data access)
  4. Excessive permissions — every team member had full read/write access to all systems

The auditor gave Canopy 90 days to remediate. Without passing, the three enterprise deals were dead.

The Departing Employee Risk

Two weeks after the audit findings, a senior sales engineer left the company. It took Canopy's IT lead three days to identify every system the employee had accessed, and they were never fully confident they had revoked all access. The employee had used shared API keys — revoking those keys would have broken access for everyone else on the team.

They ended up rotating all four Stripe keys, both SendGrid keys, and two of the three Salesforce connected apps. The process took 11 hours and caused a 45-minute outage in their customer email pipeline.

The Solution

Canopy migrated their internal AI agent infrastructure to Pipeworks over two weeks, with the SOC 2 remediation deadline driving the timeline.

1

Named API keys for every team member

Every employee received a named API key tied to their identity. No more shared credentials. When an AI agent makes a tool call — whether it is looking up a Salesforce opportunity, sending an email through SendGrid, or checking a Stripe subscription — the activity log records exactly who initiated the action.

The naming convention is straightforward: each key carries the employee's name and role, visible in the activity log. When someone leaves, their key is revoked in a single action. No shared keys to rotate, no downstream breakdowns.

2

Role-based access tiers

Canopy defined four access tiers mapped to their organizational structure:

Engineering (12 people)

  • Stripe: Read-only (view subscriptions, invoices, payment methods)
  • Salesforce: No access
  • SendGrid: Read-only (view email stats, delivery logs)
  • Memory: Full access (internal knowledge base for AI workflows)

Sales (15 people)

  • Stripe: Read-only (view customer billing status for sales calls)
  • Salesforce: Full access (create, update, manage pipeline)
  • SendGrid: No access
  • Memory: Read-only

Customer Success (10 people)

  • Stripe: Read access + limited write (create credits under $100, no refunds)
  • Salesforce: Read access + limited write (update account notes, log activities)
  • SendGrid: Full access (send customer communications)
  • Memory: Full access

Finance (4 people)

  • Stripe: Full access (refunds, credits, subscription changes)
  • Salesforce: Read-only (revenue reporting)
  • SendGrid: No access
  • Memory: No access

New hires in any role start with read-only access across the board. Write permissions are granted after their first week by their team lead.

3

Activity logging for compliance

Every tool call across all four integrations is logged with:

  • Who — The named API key (and therefore the employee) that initiated the call
  • What — The specific tool called (e.g., create_credit_note, update_opportunity, send_email)
  • When — Timestamp with timezone
  • Result — Whether the call succeeded or failed

Canopy exports these logs monthly for their compliance archive. During the SOC 2 audit, they demonstrated the ability to answer any "who did what when" question in under 30 seconds.

4

Automated deprovisioning

When an employee leaves, revoking their named API key is a single action that takes effect within 30 seconds. No shared credentials are affected. No other team members lose access. The departing employee's historical activity remains in the log for audit purposes, but their key can never be used again.

Canopy added API key revocation to their standard offboarding checklist. The IT lead estimated it saves 8-10 hours per departure compared to the old shared-key rotation process.

Integrations Used

S
Salesforce
20 tools · AI-powered CRM operations at scale
S
SendGrid
10 tools · Automated email delivery at scale
S
Stripe
50 tools · Automate payments, invoices, and revenue ops

Results After 90 Days

SOC 2 Type II Audit: Passed

Canopy passed their SOC 2 Type II audit on the first attempt. The auditor specifically noted the improvement in access controls and activity logging as "exceeding expectations for a company of this size."

The three enterprise deals — worth a combined $840,000 in annual contract value — moved forward. Two closed within 30 days of the audit completion.

100% Tool Call Attribution

Every tool call made through Canopy's AI agents is now attributable to a specific employee. In the first 90 days, Canopy logged 47,000+ tool calls across their four integrations. When the finance team asks "Who issued that credit?", the answer takes 15 seconds to find.

Zero Shared Credentials

Canopy went from 9 shared API keys across 4 services to zero. Every credential is either a named personal key (for individual contributors) or a named workspace key (for automated workflows). The IT lead maintains a dashboard showing all active keys, their scopes, and their last-used timestamps.

MetricBeforeAfterChange
Shared API keys in use90Eliminated
Tool call attribution rate0%100%Full coverage
Time to deprovision departing employee11 hoursUnder 2 minutes99.7% faster
SOC 2 access control findings4 critical0Full remediation
Time to answer audit questionsDaysUnder 30 secondsNear-instant
Enterprise deals unblocked03 ($840K ACV)Direct revenue impact

Employee Onboarding: From Ad Hoc to Systematic

New hires now receive their named API key with role-appropriate permissions on their first day. Before Pipeworks, new employees would spend 2-3 days collecting credentials from various team leads, often ending up with inconsistent access levels depending on who they asked.

The average time from "new hire starts" to "fully provisioned with correct access" dropped from 2.8 days to 4 hours.

Tip

Named API keys are not just a security feature — they are an operational tool. When every action is attributed, you can identify workflow bottlenecks, measure tool adoption across teams, and build a culture of accountability without surveillance.

The Memory Integration

One integration that proved unexpectedly valuable was Memory — Pipeworks' built-in knowledge store for AI agents.

Canopy's engineering and customer success teams use Memory to maintain a shared knowledge base that their AI agents reference during workflows. Product documentation, internal runbooks, customer-specific notes, and troubleshooting guides all live in Memory, accessible to AI agents during conversations.

The key benefit: Memory access is governed by the same permission system as every other integration. Engineering has full read/write access to maintain technical documentation. Customer success can read everything but only write to their own notes. Sales has read-only access to product information. Finance has no access.

This granularity means the AI agents serving different teams see different slices of the knowledge base, matching the information boundaries that already exist in the organization.

Key Takeaways

For SaaS companies scaling their teams:

  1. Shared API keys do not scale. They work for 5 people. They become a liability at 15. They are an audit finding at 50. Migrating to named keys early is significantly cheaper than remediating under audit pressure.

  2. Attribution is a business requirement, not a nice-to-have. SOC 2, ISO 27001, and enterprise procurement questionnaires all ask the same question: "Can you tell us who accessed what and when?" If the answer is "no," the deal is at risk.

  3. Deprovisioning is the hidden cost of shared credentials. Every shared key that a departing employee had access to needs to be rotated, affecting everyone who uses it. Named keys make offboarding a 2-minute task instead of an 11-hour fire drill.

  4. Start with the audit in mind. Even if SOC 2 is not on your roadmap today, building access controls and activity logging from the start means you are always audit-ready. Retrofitting is 10x harder than building it in.

  5. Permissions mirror your org chart. The easiest way to design access tiers is to look at what each team actually needs. Most people need read access to most tools. Write access should map to job function, not seniority.

What Canopy Says

"We were 90 days from losing $840,000 in pipeline because we could not answer basic questions about who had access to what. Pipeworks gave us named keys, activity logs, and role-based permissions in two weeks. We passed SOC 2 on the first try, and now every new enterprise prospect sees our access controls as a strength, not a concern."

David Okafor, VP of Engineering, Canopy Analytics

Related

Industry
SaaS Companies
Connect your AI agents to billing, CRM, and customer success tools to automate subscriber management, churn prevention, and support operations.
Learn
Understanding API Keys and Credentials
A plain-language explanation of API keys, access tokens, and other credentials -- what they are, why they matter, and how they stay safe.
Solution
How to Connect Your AI Agent to Your CRM
Give your AI agent the ability to read, create, and update CRM records. Automate contact management, lead follow-up, and opportunity tracking.

Ready to automate?

Connect your AI to the tools you already use. Get started in minutes.

Get Started