Linear Enterprise Security: The Stuff That Actually Breaks

You got Linear deployed for your dev team because Jira makes everyone want to quit. Good choice. Now your CISO wants to know if it'll survive an audit without setting the company on fire.

The answer is: mostly yes, with some annoying caveats. Linear has SOC 2 and the other compliance theater your legal team obsesses over, but there's enough weird edge cases to keep you debugging for a few weeks. At least it's not Jira's permission nightmare where creating a ticket requires a PhD in Active Directory.

Compliance Framework: What Linear Actually Covers

SOC 2 Type II - yeah, they have it. It's real, not some made-up certificate. Your procurement team can stop asking about it. You can grab the report if you want to read 200 pages of audit findings.

GDPR stuff - if you're in Europe, pick EU when creating the workspace or you're screwed forever. Can't change it later, which is stupid but that's how it works. Your data stays in whatever region you pick.

HIPAA - need the Enterprise plan plus legal paperwork that took our lawyers a month to review. Can't just check a box and be compliant, you actually have to configure teams and access properly.

What Linear Doesn't Have

No FedRAMP - if you work for the government, look elsewhere. No ISO 27001 either, though honestly SOC 2 covers most of the same ground. And definitely don't try to use Linear for payment stuff - no PCI compliance.

SAML Setup: The Gotchas Nobody Tells You

SAML works with Okta, OneLogin, Auth0, Azure AD - the usual suspects. Takes maybe 2 hours to set up if nothing breaks.

Here's the fun part: domain claiming. You have to prove you own your domain, and then EVERYONE with that domain gets forced into SAML. Can't mix auth methods. We found this out when contractors got locked out because their @company.com emails suddenly required SAML they didn't have access to.

JIT provisioning creates accounts automatically when people log in, but you still have to manually assign them to teams. No automatic team mapping because that would be too convenient.

SCIM: Works If Your Org Chart Isn't Insane

SCIM handles the basic stuff - creating and deleting users when they join/leave. But if your company has any complexity beyond "person reports to one boss," you're gonna have a bad time.

Group mapping? Manual. Custom attributes? Nope. Nested groups? Not a chance.

If you have a normal company structure, SCIM takes maybe 3 days to set up. If some consultant convinced your CEO that matrix organizations are the future and Sarah reports to both Engineering AND Product, budget 2 weeks plus therapy.

I spent a week trying to make SCIM work with our slightly weird AD setup. Linear support's response was basically "yeah, we know it's broken for that use case, deal with it."

Permissions: Simple to the Point of Pain

Linear has three permission levels: Admin, Member, Guest. That's it. No fancy role-based nonsense like Jira where you need a flowchart to figure out who can edit what.

Private teams keep stuff locked down at the team level - everything in that team is private, can't mix public and private within a team.

Guest accounts can see teams you add them to, and that's about it. But once they're in a team, they can do almost everything a regular member can. No granular controls for guests.

This works great until your CISO asks why you can't prevent the marketing team from deleting engineering tickets. Answer: you can't, unless you put them in separate teams.

Encryption: The Basics That Work

TLS 1.2 for everything in transit. No way to downgrade, which is good for security but might break your ancient internal tools.

AES 256 for data at rest - standard stuff. Linear manages all the encryption keys, you don't get to bring your own. This pisses off some security teams who want control over everything, but honestly it's one less thing to screw up.

Data Residency: Pick Once, Stuck Forever

You get to choose US or EU when creating the workspace. Choose wrong and you're fucked - can't change it later.

If your team is split between regions, expect some lag for the people far from your chosen data center. 100-300ms isn't much, but it's enough to drive people crazy during real-time collaboration.

Some integrations work better when hosted in the US because that's where most third-party services live. EU hosting might make your GitHub Actions a bit slower.

Audit Logs: Three Months and You're Done

Linear tracks the usual security stuff for 3 whole months. Authentication, config changes, API usage, app installs, data exports.

The 3-month retention is a bad joke. If your compliance team wants longer retention, you better export those logs yourself because Linear isn't keeping them around.

No SIEM integration, limited search, and no tracking of actual content changes. When someone asks "who edited this ticket last year," the answer is "lol, we don't know."

Status monitoring exists at linearstatus.com but don't expect deep performance metrics or anything useful for capacity planning.

Network Stuff and Other Fun

No on-premises option - Linear is cloud or nothing. If you need air-gapped deployment, go find another tool.

IP allowlisting exists if you want to lock down access to office networks. Good luck with that when everyone works from home and the CEO wants to check tickets from Starbucks.

Works through most corporate VPNs, though overly aggressive proxies might break real-time features. Your security team's paranoid firewall rules might be a problem.

Integrations Need Admin Approval

All third-party apps need admin approval before teams can use them. Slows things down when your devs want to connect some new tool, but keeps random apps from sucking up your data.

API keys are managed at the workspace level - no delegation to individual teams. Keys don't expire automatically, so you better remember to rotate them or you'll have stale API keys floating around forever.

OAuth scopes are whatever Linear decided they should be. No custom permissions, so integrations either get more access than they need or don't work at all.

Backup: Export Your Own Shit

Linear backs up their infrastructure but doesn't give you control over it. Data export exists but it's janky - CSV/JSON that loses relationships, comments threading, attachments, and workflow configs.

No published RTO/RPO numbers because Linear doesn't want to commit to anything specific. If you need real backup guarantees, plan to build your own using their API.

What This Actually Costs

Enterprise plan pricing is "call for quote" which means prepare to get fleeced. Expect $15-25 per user per month, way more than the $8 Business plan.

Hidden costs that nobody mentions:

• Your time setting up SAML/SCIM (1-3 days if you're lucky)
• Legal team reviewing the HIPAA BAA (2-4 weeks because lawyers)
• Security reviewing every integration your team wants
• Participating in audit meetings (yes, you have to talk to auditors)

Compared to the alternatives:

• Jira Enterprise: $15-20/user but you'll want to quit after using it
• Asana Enterprise: $25-30/user for pretty interfaces your devs will hate
• Azure DevOps: $6-8/user if you can stomach Microsoft's documentation

Bottom line: Linear works well enough for teams that want to ship code without drowning in enterprise security theater. It's not going to make your CISO orgasm with joy, but it won't get you fired either.

You convinced procurement to buy Linear. Congrats. Now you have to actually deploy it without getting fired when the security audit happens.

Multiple Workspaces = Multiple Headaches

Need separate workspaces for different business units? Prepare for pain. Each workspace needs its own SAML config, its own audit logs, its own everything. Linear's "simple" approach falls apart fast when legal wants data isolation.

Your Options for Workspace Hell

Complete isolation - separate everything, no shared users. Works for compliance but means managing multiple identity setups. Good luck explaining to your CEO why they need 5 different Linear accounts.

Hub and spoke - one central workspace for executives, separate ones for teams. Sounds smart until you realize people need access to multiple workspaces and now everyone has 3 Linear accounts.

Federated access - try to share SSO across workspaces. Works sometimes, breaks in weird ways when people change teams or contractors need temporary access.

Data Classification: DIY Edition

Linear has no built-in data classification, so you get to make up your own system. Public teams for safe stuff, private teams for confidential, separate workspaces for the really secret shit.

You'll end up with naming conventions like:

• [INTERNAL] prefixes on everything
• Team names like Security-Confidential
• Project labels that nobody uses consistently

Works fine for small companies, becomes a clusterfuck at scale when people forget to use your naming scheme.

API Security: The Ways It Can Go Wrong

Linear's GraphQL API is decent but easy to fuck up. API keys don't expire automatically so you better remember to rotate them, or you'll have stale keys floating around forever.

Rate limiting is 1,500 requests/hour per user, which is stupid for enterprise deployments. Your CI/CD pipeline will hit this limit constantly unless you spread API calls across multiple service accounts.

Webhook signatures exist but aren't enabled by default. Enable them unless you want random people hitting your endpoints. The signature validation is standard HMAC stuff if you know what you're doing.

Third-Party Integration Controls

Linear requires admin approval for new integrations, which is basic but better than nothing. No risk scoring, no usage monitoring after approval.

Once approved, integrations get whatever permissions Linear decided they should have. No granular controls, so apps either work with full access or don't work at all.

You'll need your own policies for vetting integrations because Linear just shows you the permissions but doesn't tell you if an app is sketchy or well-maintained.

Custom Integrations: More Ways to Screw Up

Building your own Linear integration? OAuth scopes are predefined and broad - your app gets more access than it probably needs because Linear doesn't do granular permissions.

Use dedicated service accounts instead of personal accounts, unless you enjoy fixing broken integrations every time someone quits.

Watch your error handling - Linear API errors sometimes leak data snippets in error messages. Don't log those directly or you'll expose confidential stuff in your application logs.

When Things Go Wrong

Linear's audit logs are basic and disappear after 3 months. If you need real security monitoring, export the logs yourself because Linear won't keep them around for forensics.

Failed logins show up in your identity provider logs, not Linear. Data exports don't trigger alerts. Basically, you're on your own for detecting when someone's trying to steal your data.

When accounts get compromised:

• Disable them in your IDP
• Revoke their API keys
• Check the audit logs before they disappear
• Figure out what they accessed (good luck with that)

No point-in-time recovery, so hope you have backups if someone deletes important stuff.

If a third-party integration gets hacked, you'll need to figure out what Linear data they had access to and rotate any shared API keys.

Compliance Paperwork

SOC 2 Stuff

If you're pursuing SOC 2, you'll need to document:

• How Linear's permissions work
• Your SAML setup
• How you remove access when people quit
• Linear's encryption and data deletion

HIPAA Requirements

HIPAA needs:

• Enterprise plan + BAA (2-4 weeks for legal review)
• Private teams for PHI access
• Longer audit log retention than Linear's pathetic 3 months
• Breach response procedures

GDPR and International

For GDPR:

• Sign Linear's DPA
• Pick EU data residency
• Set up data export procedures for subject requests
• Figure out data deletion

Other countries have their own privacy laws that might require additional procedures, but honestly most of them are variations on the same theme.

Performance: Where It Gets Slow

Linear works great for small teams but starts showing its age at enterprise scale.

New users with big workspaces (10k+ issues) wait 2-5 minutes for initial sync. Perfect timing when you're trying to onboard someone during a crisis.

Real-time collaboration gets janky with too many people editing at once. Search slows down when you have 100k+ issues because client-side search hits limits.

Network stuff to watch out for:

• Initial sync downloads 50-100MB for big workspaces
• WebSockets required for real-time features (your firewall might block these)
• Performance sucks in regions without good CDN coverage
• Mobile apps might need MDM policy tweaks.

Bottom Line

Linear's enterprise security is good enough for most companies that want to ship code without drowning in Jira's permission nightmare.

The security basics work - SOC 2, SAML, audit logs (for 3 months). It's not going to satisfy security teams that get off on complexity, but it'll keep you from getting fired during audits.

Trade-offs you're making:

• Simple permissions vs. granular control
• Fast deployment vs. enterprise security theater
• Developer productivity vs. compliance paranoia

You'll need to build some stuff yourself - log archival, workspace planning, backup strategies. Linear's support won't hold your hand through enterprise deployment.

But if you can handle that, you get a project management tool that doesn't make your entire engineering team want to update their LinkedIn profiles.