CommonLit uses P0 Security to balance developer autonomy and SOC 2 compliance

Overview

Education is under attack. School districts across the U. S. are increasingly targeted by ransomware and data breaches—including a high-profile case involving leaked sensitive psychological notes about students in major districts.

As a result, many states have begun enforcing SOC 2-levelexpectations for vendors, even without formal mandates. CommonLit needed to up their compliance posture—not only to demonstrate strong access controls and satisfy audit requirements, but to protect something even more fragile:trust in the classroom.

Challenge

With rising security demands and just nine engineers, the CommonLit team needed to secure access to their cloud environments without introducing complexity or slowing development.

Their solution had to preserve classroom trust and engineering velocity, with evolving compliance standards like SOC 2. Even a two-hour access delay is considered a deal-breaker for CommonLit’s lean, high-performing team.

Solution

When Indent—an access request platform built for IAM workflows—announced its end-of-life, the CommonLit team began searching for a replacement that could do just-in-time access management and integrate with Tailscale, their zero-config VPN used to securely connect services and users across their environment. Most options were oversized and overpriced—built for legacy on-prem environments, bundling features they didn’t need.

What they wanted was a fast, clean, Slack-native tool for managing just-in-time access to AWS and GitHub—with auditability and ease of use. That’s when they found P0 Security. P0 now governs access to CommonLit’s most sensitive systems, enabling engineers to request time-bound access via Slack.

During incidents, on-call engineers can temporarily add themselves to a GitHub “hotfix” team, push a critical change, and automatically have access revoked with every step logged for compliance. By eliminating lingering permissions and manual user group cleanup, P0 also saves hours of audit prep time each quarter, reducing risk and effort for a small team with limited bandwidth.

Results

Incident response and operational resilience

• Faster incident response: On-call engineers can self-serve access during emergencies without waking teammates.
• Minimized bottlenecks: By distributing access approvals across the team, P0 reduces the risk of blocking work during critical incidents or PTO.
• Small team, enterprise posture: P0 gives a nine-person team the security rigor and operational agility to compete with the largest education providers.

Compliance and audit readiness

• SOC 2 compliance, made tangible: CommonLit can confidently demonstrate that no individual can change production without peer review.
• Streamlined audits: Groups remain empty by default, eliminating lingering access and significantly reducing quarterly audit prep time.
• Automated, auditable workflows: P0 integrates directly with CommonLit’s compliance posture, helping the team meet strict customer and regulatory expectations with less manual overhead.

Developer velocity and productivity

• Fast approvals: Access requests during business hours are typically approved in under 10 minutes, keeping developers in flow.
• Uninterrupted shipping: Blocking engineers—even for two hours—is a nonstarter. P0 ensures developers stay productive and focused on delivering features.
• Real-world educational impact: With reduced friction, the team shipped a digital annotation tool that enhances student retention and gives teachers visibility into student thinking.