Subtwin is an independent company building the identity layer for agentic IT work. We started with the highest-volume, best-defined surface — Identity Directory helpdesk — and a single conviction: the agent should be a real principal in your IDM, not a bot wedged into a chat surface. Everything else flows from that.
For two years the AI conversation has been about what models can do. The harder problem turned out to be: who is the AI worker, where does it live, who can it act for, and where does its activity land in the audit log? Those are identity questions, not model questions.
We call our answer an twin. A twin is a first-class citizen in your enterprise — peers of your team, not employees, not bots. They have identity, presence, and an audit trail like any colleague. They show up where work happens.
The company is named Subtwin — a wink at the JWT sub claim, the
subject identity inside every authenticated token. Your twin is your sub-twin: a real
subject in your IDM, acting under your authority, twinned to you in Teams. If you got the pun, you're
our audience.
Subtwin exists to ship twins — and to keep the underlying pattern open. We ship the product, and we're working on the identity primitives twins depend on so the broader ecosystem can adopt the same model.
We're authoring the agent-identity primitives we depend on as open work. We're not pretending these are finished standards. The current status of each draft is below — none of them are RFCs yet, and we won't call them that until they are. Track progress in our repo: github.com/Subtwin/twin-primitives.
A standard shape for "create a twin identity in an IDM" — display name, presence, scoped capabilities, audit metadata — portable across Entra, Okta, Workspace, JumpCloud.
Draft 0.2
How a twin declares what it can do in a way IDMs and audit systems can reason about. Pairs with MCP for the wire protocol; this is the identity-side complement.
Draft 0.1
A canonical event shape for "twin acted on behalf of human" that includes the confirmation timestamp. Maps cleanly to existing M365 / Okta / Workspace audit logs.
Draft 0.3
How a twin advertises availability and how DMs route to the right per-customer container without leaking topology to the end user.
Sketch
How a twin identity is torn down across the IDM, the container host, and the audit log — without orphaning state on either side.
Sketch
The v3 horizon: twin identities sourced from (and recorded in) the systems that already define who works at a company. Notes only at this stage.
Notes
Want to follow the work or contribute? Open the repo or drop us a line.
Anthropic's protocol got picked up across Claude, several IDE and agent tools, and a growing set of open-source harnesses. Not universal yet, but enough that Subtwin's MCP tool surface is portable across the orchestrators that matter.
OpenClaw, Hermes and others are now production-ready with gateways, memory, skills, and scheduled tasks. We don't have to build "the brain" — we plug into whichever brain a customer wants.
Webhook delivery for Teams DMs is now reliable enough to be a production interaction surface. As recently as 2023, it wasn't. The plumbing the product depends on finally works.
Small, deliberately. People who've built identity, agent and IT infrastructure before. We'd rather have a few customers we know well than a logo grid we can't support.
Background in IT services, M365 administration at scale, and helpdesk economics for SMB and mid-market. The "why is this still a portal?" problem is what started Subtwin.
Identity, OAuth and MSAL plumbing across multiple prior platforms. Owns the per-tenant container architecture, the threat model and the SBOM you can read end-to-end.
SOC 2 / HIPAA / GDPR program for the past three years across two compliance-heavy startups. Runs our trust posture and the customer security packet.
Want to meet the team? Schedule a working session via contact — we'll bring whoever's most useful to the conversation, not a designated "executive sponsor".
Subtwin's per-customer containers run on peasyCloud — a regional, audit-friendly container host designed for tenant-isolated workloads. peasyCloud is operated independently; Subtwin is a customer of peasyCloud, not a subsidiary. We chose them because their isolation model (per-customer instance, per-customer encryption keys, no shared application substrate) fits the twin architecture.
peasyCloud holds SOC 2 Type II and runs EU and US regions today. Additional residency options are on the v2 roadmap to support customers with strict data-residency obligations. We pass through your choice of region without surcharge.
If peasyCloud were ever unavailable, the source-available escrow described on the Security page means you can keep running your twin on your own infrastructure.
A note on the "peasy" name: peasyCloud (hosting infrastructure) and PeasyServices (one of our launch Subtwin Partners — see Partners) are separate companies. They share a name root from a common founder history; they do not share equity, board, or operations. peasyCloud is a vendor to Subtwin; PeasyServices is a delivery partner to Subtwin customers. We mention this explicitly so it doesn't read as a closed loop.
Per-customer container, Teams DM only, 13 admin tools, three orchestrator options. Manual onboarding by our operator. Free for all customers.
Shipping
Customer self-service onboarding portal. Proactive scheduled work (Monday-morning license reviews, expiring access). Expanded tool catalog. SOC 2 Type II. Okta + Google Workspace adapters in beta. PSA/RMM native integrations.
In progress
Multi-channel (email + SMS for after-hours). Skills marketplace (customer-specific runbooks). Analytics dashboard. HRIS / employee-system bridge. Full identity-primitive publication.
Horizon
The thing we ship. A first-class citizen in your IDM — peer, not employee, not bot. Has identity, presence and an audit trail.
The company. The brand. The name plays on the JWT sub claim — the subject identity inside every authenticated token. Your twin is a sub-twin: your subject, doubled.
The example twin we use throughout the docs. In your tenant, your twin is named whatever you want.
The container infrastructure that hosts each per-customer twin. Operated independently; we're a customer of it.
A Subtwin-verified MSP that delivers and supports twins for end customers. Current Subtwin Partners: Port NOC and PeasyServices. See the MSPs page for the partner program details.
An MSP that operates twins for its own clients without the partner-directory listing. Same product, free per client, white-labelled to your brand.
Subscribe to primitive drafts and product updates. We send one email a month — no marketing fluff.