Inside Productboard’s Leap to Enterprise and AI—Powered by Oso’s Authorization Platform

Productboard’s Rise—Building the Right Products Faster

Productboard is a customer-centric product management platform that helps organizations get the right products to market, faster. 

Founded in 2014, today over 6,000 companies including Cartier, JP Morgan Chase, and UIPath use Productboard to understand what users need, prioritize what to build next, and rally everyone around their roadmap. Productboard is backed by some of the most renowned VC firms in Silicon Valley and is recognized as one of the hottest tech startups, appearing on the Forbes’ Next Billion-Dollar Startups list.

As the company expanded its reach into enterprises and released its first AI-powered apps, authorization powered by Oso enabled Productboard to dramatically accelerate its time to market while ensuring  both human and agentic workflows operate securely and reliably.

From SMBs to Enterprises: Why Authorization Had to Grow Up

Productboard’s growth trajectory has seen it move from serving small- and medium-sized customers to working with some of the largest enterprises in the world. Spearheading its authorization architecture are two key members of the engineering organization: Matúš Koperniech, Staff Engineer and Technical Lead on the Permissions team, and Martin Masarik, Senior Engineering Manager responsible for both the Permissions and AI teams.

Early on, Productboard’s smaller customer base was well-served by a pre-defined, hardcoded approach to authorization. However, as the company expanded into the enterprise segment, it needed far more granular controls, including custom roles, relationship-based access, and fine-grained edit permissions for individual fields. “Small companies often have no issue with their whole team seeing everything relating to a project, but large enterprises need to govern access with more control and governance” says Masarik.

From Authorization That Slows to Authorization That Flows

Prior to adopting Oso, Productboard relied on a homegrown authorization system. Developers maintained numerous “if” statements and libraries scattered throughout a monolithic Ruby application. Any changes had to be coded by developers, limiting the company’s ability to scale upmarket.

 Our old authorization model was bottom-up, with each entity hardcoded for visibility and edit rights, but once you get to enterprise-scale data, that approach becomes nearly impossible to maintain.

- Martin Masarik, Senior Engineering Manager, Productboard

Instead of everyone having pre-defined, coarse-grained access, organizations began requiring custom roles with distinct sets of permissions and field-level access controls for more nuanced governance. For instance, certain roles might be allowed to edit a specific field (e.g.,the status of a new feature) while only viewing others (e.g., a user story). This granular approach ensures that enterprise customers can protect sensitive information yet still collaborate across teams and users productively.

A second key shift involved introducing team spaces as the top-level structure for authorization. Rather than manually configuring permissions for individual boards or data objects, Productboard needed a centralized way to propagate access rules from team spaces all the way down using a Relationship-Based Access Control model. This top-down approach helps maintain consistent visibility: when two users open the same board, each sees precisely the same content. By centralizing permissions in a single location—then cascading them to every relevant entity—Productboard achieves strong governance while sparing administrators the headache of constant fine-tuning across hundreds or thousands of boards.

Compounding this complexity was a broader shift in Productboard’s platform architecture—from a monolith to microservices. Rather than stick with workarounds where authorization data and logic was passed between services, developers needed a way to centralize permission data across multiple services. As Masarik notes, “Without a unified service, it would be prohibitively difficult to handle authorization consistently across distributed systems.” 

The engineering team realized it needed a centralized, service-based solution that could keep up with the evolving architecture and increasingly sophisticated customer demands. The search for a solution started in 2023. 

Millions of Data Points, Zero Failures

Productboard initially considered creating its own service in-house. However, the scale, performance, and engineering overhead required were daunting—particularly since authorization was not the company’s core business. “We did consider rolling our own authorization service, but it quickly became clear it would be too costly in engineering cycles,” says Masarik.

Instead, the team evaluated several authorization vendors, subjecting each to rigorous performance tests against Productboard’s deeply nested, recursive data model. To make a decision that was right for the business over the longer term, Productboard engineers created a huge data set, reflecting the hundreds of thousands of product teams they expect to be serving in a few years time. 

We tried to stress-test them with millions of data points in a single tenant. Oso was the only one that handled our load and never dropped a single request or returned a single error. This, plus Oso’s clear maturity and ability to partner closely with us led to our decision to select them as our authorization platform.

- Matúš Koperniech, Staff Engineer, Productboard

Blazing Fast, Rock Solid: Authorization at Enterprise Scale, Powered by Oso

In production, Productboard aimed for an internal goal of keeping authorization overhead below 250ms at p95—a threshold that would have already been acceptable for most use cases. Yet Oso consistently outperforms those expectations. 

We’re below 10ms at p95 and 50ms at p99.9, which is huge—basically negligible in overall request time.

- Martin Masarik, Senior Engineering Manager, Productboard

By deploying to Oso Cloud, Productboard can co-locate its Oso instances next to customer data in the same region, keeping latency low. Additionally, Oso has maintained near-continuous uptime, never dipping below 99.991% over the past year.

Implementing Oso gave Productboard a central source of truth for permissions, allowing microservices to offload authorization queries to Oso Cloud. “Without centralization, consistent authorization across microservices would have been nearly impossible—or so costly it wouldn’t make sense,” says Masarik. The team needed a service that could act as a single point of truth for authorization while remaining performant and reliable under load.

Oso delivered exactly that. Each microservice queries Oso Cloud for authorization policies without duplicating business logic or embedding brittle rules locally. Productboard mirrors relationship data from its distributed services into Oso, which maintains a unified policy service capable of resolving fine-grained access decisions across the system.

“Oso centralizes all those scattered relationships, allowing us to resolve the correct permissions for any user and any scope,” explains Koperniech. This decoupling of authorization logic from application code not only reduces complexity but allows the team to focus on evolving their product authorization model—without getting bogged down in low-level access control infrastructure or building and maintaining a high-performance authorization solution.

Tackling the Migration Minefield

Moving between different authorization systems is never trivial and this was true for Productboard as they planned the migration from their home-grown hardcoded authorization model to a centralized system.

They  had to reconcile the old “bottom-up” approach—where each entity had scattered permission checks—with a new, top-down model where rules could be applied consistently from team spaces down to boards and each user’s data. 

The biggest hurdle was maintaining a stable user experience while running two systems in parallel. According to Koperniech, “We completely rethought our product-level authorization rather than mirroring our legacy model. That meant the old and new policies didn’t map one-to-one, creating potential confusion for customers during the switchover.” Planning the transition meticulously saved the team from having to constantly patch issues between the two systems. Oso’s expertise proved invaluable through the entire migration process. 

Beyond providing a performant service, the Oso team partnered closely with Productboard’s engineers, offering domain expertise on structuring authorization rules in ways that maximized speed, minimized duplication, and simplified the migration process. This tight collaboration allowed Productboard to execute a complex migration with fewer detours, getting to a stable, centralized authorization architecture far faster than it could have on its own.

Oso are the experts in this and working with them massively de-risked and accelerated this complex and critical project.

- Martin Masarik, Senior Engineering Manager, Productboard

The Fast Track to Secure, Agentic AI

Establishing a solid authorization foundation has paid dividends as Productboard begins enriching its services with AI. The reality today across the industry is that most AI apps never make it to production—data security and privacy concerns stop many cold. That makes a robust, flexible authorization architecture not just important, but essential.

We’re working on agentic workflows and we have to ensure that our AI engine provides access only to the data each user is allowed to see. Being able to use Oso to enforce authorization has been huge for how quickly we can bring new AI services reliably and securely to the market.

- Matúš Koperniech, Staff Engineer, Productboard

Productboard Pulse is an AI-powered voice of customer (VoC) platform that centralizes customer feedback from multiple sources—such as support tickets, CRM, surveys, and product analytics—and surfaces cross-product trends. It enables teams to explore insights through interactive dashboards and generate shareable reports by prompting AI with natural language questions.

Productboard Pulse relies on a retrieval-augmented generation (RAG) architecture, in which data from the customer feedback sources is added to users’ prompts to provide additional context to the LLM. The data is converted to vectors that are stored in an embeddings database. When a user submits a prompt, Productboard Pulse uses these embeddings to search for data that is most relevant to a user’s prompt. Oso then determines which data objects that user is allowed to view. This authorization information is used by Productboard Pulse to confine the results of its context search to only the data that the user is allowed to see. It is this authorized set of data that is ultimately provided as context to the LLM that powers the agent. 

“We have implemented a permission client that provides an abstraction over Oso. The client filters data for the AI engine, ensuring only valid information is retrieved for each user,” says Masarik. 

Without Oso, Productboard would have faced months of extra development to replicate its fine-grained access controls within AI workflows—or more likely would have had to restrict data usage, limiting the solution’s usefulness.

Oso made building Productboard Pulse much faster, since every API can just call Oso to figure out what’s allowed, no matter where the data resides. By building on top of a proven authorization foundation, we’ve avoided the biggest hurdles derailing AI efforts in many companies.

- Matúš Koperniech, Staff Engineer, Productboard

Results with Oso: Enterprise and AI Ready Years Faster

By migrating to Oso, Productboard has quickly unlocked capabilities demanded by large enterprises. This includes custom roles, granular permissions, and field-level access implemented with ReBAC across a complex, deeply nested data model. “We took a really complex problem off our developers’ plates,” says Masarik. “That freed us to focus on new features and AI workflows with user-scoped context rather than reinventing authorization infrastructure.”

Oso’s flexibility has also unlocked new revenue opportunities. Productboard can tailor permissions to meet the stricter governance demands of large organizations. “More granular control can translate into premium tiers or specific upsells,” Masarik notes. “Oso enables that without heavy engineering lift.”

Most critical for company growth, the improved authorization system has helped Productboard engage the enterprise market sooner than it might have otherwise. 

Delivering these features in-house would have delayed enterprise readiness by years. Oso saved us a major engineering burden, getting us into new markets 2-3x faster.

- Martin Masarik, Senior Engineering Manager, Productboard

Key Learnings and Getting Started

Productboard’s journey highlights the value of collaborating with a specialized authorization partner. Oso has worked with Productboard to:

1. Manage a complex migration of authorization systems.
2. Rearchitect its platform from a monolith to microservices.
3. Deploy its first agentic and generative AI apps.

Oso’s service has helped Productboard keep its team lean, its performance high, and its customers secure. 

Organizations evaluating modern authorization strategies can learn from Productboard’s experience: invest early in a solid migration plan, leverage specialized expertise, and free your team to focus on the product innovations that matter most.

To help engineering teams overcome some of the biggest hurdles in AI, Oso has created a reference architecture and repo demonstrating how to build an authorized AI app. Take a look, and if you want to learn more, book a meeting with an Oso engineer.