Your brand on the front. AFEND on the back.
Partner-tier consultancies and agencies can present each client workspace under their own name, logo, and accent. The customer signs in to your brand; the workflow, controls, and policy pack underneath are still AFEND. No separate build, no fork, no maintenance.
Four overrides, applied workspace-wide on the next render.
Switch on whitelabel for a Partner workspace and these become editable in /app/settings. The accent variable recolours buttons, links and highlights through the design system; the wordmark and logo flip in the header and emails; the AFEND chrome can be hidden where the partner needs full opacity.
Brand name
Replaces the AFEND wordmark in the workspace header and document footers. Up to 60 characters. Leave empty to fall back to AFEND.
Logo URL
Public https:// URL of an SVG or PNG (transparent background recommended). Rendered in the header instead of the wordmark when set. Hosted on your CDN; we never proxy or cache the image.
Accent colour
Hex (#1d4ed8) or OKLCH triplet ("0.55 0.235 28"). Recolours buttons, links, focus rings and highlights inside the workspace shell - the design system reads this off a CSS variable, so utilities like bg-accent and text-accent flip together.
Hide AFEND chrome
Suppresses AFEND-specific footer copy and the public help-center link from the workspace shell. Use it when the partner wants zero AFEND mentions inside the client environment.
Custom domain
Run the workspace on app.partner.com (or any partner-owned subdomain). Add the CNAME at your DNS provider, click Verify in /app/settings; Vercel auto-issues the TLS certificate, the middleware routes the host to your workspace, and the URL bar reads as your brand from there on.
Three moves, one workspace.
Whitelabel is a per-workspace switch, not a global flag. A consultancy can run one client whitelabelled and the next one on the AFEND defaults - no migration between the two states.
- 01
Admin enables whitelabel on the plan
An AFEND admin flips whitelabel_enabled on the Partner plan in /admin/entitlements. The change is auditable - written to admin_action_log with before/after values - and propagates to every workspace on that plan on the next request.
- 02
Account owner configures the brand
On a Partner workspace, the account owner or program owner opens /app/settings and fills in brand name, logo URL, accent colour, and the hide-AFEND toggle. Empty fields fall back to the AFEND defaults; saving revalidates the workspace shell so the brand applies immediately.
- 03
Members see the partner brand
Anyone signing in to that workspace - the consultant, the client team, an external auditor invited as collaborator - lands on the partner brand. The control catalogue, risk library, policy pack and AI copilot underneath are unchanged; only the chrome moves.
Consultancies, agencies, MSPs, and the rare enterprise self-rebrand.
ISO 27001 consultancies
Sell the engagement under your boutique brand. The workspace your client logs into reads as yours - their seat list, their evidence, their audit dossier. Subscription billing stays on the client's Stripe; you don't carry the tool spend.
Compliance-as-a-service agencies
Run a portfolio of clients all wearing your brand without forking a product. Every workspace inherits the same hardened workflow; your differentiator is delivery and methodology, not platform engineering.
MSPs bundling security with managed IT
Wrap ISO readiness into your existing MSP service. The client sees one supplier, one brand. You configure once per workspace; the rest is the same operating system you already trust.
Enterprises with internal compliance teams
Replace the visible AFEND surface with your own internal Information Security brand. Same product, your wordmark - useful when the program needs to read as company-internal rather than "vendor tool".
Brand-aligned email, partner help center.
Phase 1 covers the workspace shell + custom domain (live now). The phase-2 work extends the same brand row to transactional email and the in-app help link, so the partner brand stays consistent end-to-end.
Brand-aligned transactional email
Magic-link, invitation, audit-ready, and review-due emails sent from a partner-configured sender (with the partner's signing domain) and partner-coloured email body.
Per-workspace help-center URL
Optional override of the in-app help link - point it at the partner's own knowledge base when the client should not bounce to public AFEND content.
Audit trail intact
Every brand change is written to admin_action_log with before/after values. The AFEND audit trail is yours to inspect at any time, including across whitelabel changes.
Same workflow, same gates
Whitelabel touches chrome only. Scope approval, SoA gate, evidence thresholds, internal audit, management review - the program logic is identical to a non-whitelabelled workspace, so an external auditor sees the same evidence shape.
Revocable in one click
Empty the brand fields and the workspace falls back to AFEND on the next render. There is no destructive migration - chrome state is independent from program data.
Common questions before you switch your brand on.
Anything else? Email office@afend.com and we will respond same business day.
Is this a separate fork or a config switch?
Config switch. There is no forked codebase or branch; whitelabel is a row of columns on the workspace plus a plan-level entitlement. Empty fields fall back to AFEND on the next render. We never deploy a custom binary per partner.
Where is the partner logo hosted?
On your own CDN. We store the public https:// URL on the workspace row and reference it from the header. AFEND does not proxy, copy, or cache the image - if you rotate the file at the URL, the workspace picks up the new version on the next render.
Can the customer turn whitelabel off?
The customer's account owner cannot - whitelabel is gated by the plan-level whitelabel_enabled entitlement, which only an AFEND admin can flip. The partner can clear the brand fields, falling back to AFEND defaults, but cannot remove the entitlement on their own. This is intentional: the entitlement is the commercial gate.
Does whitelabel change pricing logic, audit trail, or readiness scoring?
No. Whitelabel changes chrome only - the wordmark, logo, accent variable, and a footer-suppression flag. Plan logic, entitlements, RLS, audit log, readiness scoring, AI safety layer, and the evidence model are identical to a non-whitelabelled workspace. An auditor sampling a Partner workspace sees the same artefact shapes as anywhere else.
What about emails sent to the customer?
In phase 1 (today), magic-link, invitation, and reminder emails still come from the AFEND sender. Phase 2 extends per-workspace branding to transactional emails so the partner sends from their own domain. The phase-2 milestone is on the public roadmap; talk to us if your engagement timeline pushes against it.
Can the partner self-host or run AFEND in their own cloud?
No. Whitelabel does not move the deployment - AFEND continues to run on its EU / Frankfurt infrastructure (Supabase + Vercel). For a regulated partner that genuinely cannot consume third-party SaaS, talk to us about the local-only AI mode and the regulated-tier residency options - those are different conversations from whitelabel.
Run client workspaces under your brand. We carry the platform.
The Partner tier is sales-gated - tell us about your portfolio and we will set you up. Email office@afend.com or start a Core trial today and we will move you to Partner when ready.