Account Last updated: 14 March 2026 · 5 min read

Managing Team Members & Account Settings

This article covers the day-to-day administration of your PolicySuite workspace: adding and removing users, adjusting roles, configuring your organisation settings, and maintaining security. These tasks require the org_owner or org_admin role.

1. Inviting team members

To add a new user to your organisation, go to Settings > Team > Invite User. Enter the person's work email address, select their role from the dropdown, and click Send Invitation. They will receive an email with a link to create their account and join your workspace.

Invitation links expire after 72 hours. If your invitee doesn't receive the email, ask them to check their spam folder — the sender address is noreply@policy-suite.com. You can resend any pending invitation from the Team settings page.

Available roles when inviting:

org_admin — full operational access across the platform, second only to org_owner
compliance_admin — manages policies, distributions, and compliance reporting
policy_author — creates and edits policy drafts; cannot publish without review
reviewer — approves policy drafts before publication
auditor — read-only access to all policies, acknowledgement records, and audit logs
employee — receives and acknowledges assigned policies only

2. Changing roles

To change a team member's role, go to Settings > Team, click the user's name, and select Change Role from their profile. Choose the new role and confirm. Role changes take effect immediately — the user's permissions update on their next page load without requiring them to log out and back in.

You can both promote and demote users at any time. Common scenarios include promoting a policy_author to compliance_admin when they take on management responsibilities, or demoting a departing team lead to employee while they complete their notice period.

3. Removing users (off-boarding)

When a team member leaves your organisation, remove them promptly. Go to Settings > Team, click the user, and select Remove from Organisation. This immediately revokes all access — their active session is terminated and they cannot log back in.

Removing a user does not delete their historical record. All actions they took while active — policies they authored, distributions they sent, acknowledgements they recorded — remain in the audit log under their name. If the removed user had active policy assignments, those assignments are preserved for record-keeping purposes, but no new distributions can be sent on their behalf.

Access review reminder: Review your team member list quarterly and remove departed employees promptly. Stale accounts with elevated permissions are one of the most common findings in SOC 2 and ISO 27001 access reviews. A quarterly clean-up takes minutes and eliminates an entire category of audit finding.

4. Organisation settings

Go to Settings > Organisation to configure workspace-level preferences:

Organisation name — appears on distributed policies and employee-facing communications
Logo — upload your logo to brand the employee portal and policy PDFs
Primary contact email — used for billing and support communications
Session timeout — how long before inactive users are automatically signed out. Default is 8 hours, configurable from 1 hour to 30 days. For higher-security environments, 1–4 hours is recommended.

5. Two-factor authentication

Two-factor authentication (2FA) significantly reduces the risk of account compromise, particularly for admin-level accounts with access to sensitive policy content and employee data. PolicySuite strongly recommends enforcing 2FA for all users with roles above employee.

To require 2FA across your organisation, go to Settings > Security > Require 2FA for admins and enable the toggle. Any admin-role user who has not yet enrolled in 2FA will be prompted to do so on their next login before they can access the platform. Users can set up 2FA themselves from their Profile > Security tab using any TOTP-compatible authenticator app (Google Authenticator, Authy, 1Password, and Microsoft Authenticator all work).

If a user loses access to their authenticator, they can use one of their saved backup codes to log in. If backup codes are also lost, contact support@policy-suite.com to initiate a verified 2FA reset.

6. Data export and account deletion

To download a complete export of your organisation's data — policies, acknowledgement records, audit logs, and user information — go to Settings > Data Export and click Request Export. You will receive a download link by email when the export is ready, typically within a few minutes.

If you wish to permanently delete your PolicySuite account and all associated data, contact support@policy-suite.com. Account deletion is irreversible. All data is permanently purged within 30 days of the confirmed deletion request, in accordance with GDPR Article 17 requirements. Export any records you need to retain before requesting deletion.

Still need help?

Email our support team at support@policy-suite.com — we typically respond within 24 hours.