Internal Tools · Ann Arbor

Your Ann Arbor startup hired 18 engineers in a quarter and a Google Sheet decides who gets prod access

The short answer

Custom internal tools for an Ann Arbor startup run $40,000 to $120,000 over 3 to 6 months. Retool, Airtable, and spreadsheets get you through year one. They break when you hire in waves, because none of them enforce real access control. The moment a Google Sheet is the source of truth for who can touch production, an autonomy-tech or biotech startup has a security and compliance problem, not a tooling problem. A custom internal tool ties onboarding, offboarding, and least-privilege access to one system that an auditor will accept.

This is the exact wall Ann Arbor startups hit: you scaled from 12 to 60 people in three quarters off campus hiring and a Series A, and the onboarding checklist is still a spreadsheet a founder set up in year one. A new ML engineer gets added to Slack, GitHub, the AV data lake, and AWS by whoever remembers, and there's no record of who has access to the vehicle-log data or the patient-derived biotech samples. Offboarding is worse: people leave and their keys live on.

Retool will let you build a slick admin panel, but it doesn't model roles, approval chains, or an audit trail of access grants. Airtable holds the list but enforces nothing. When a customer's security review or a SOC 2 audit asks 'show me who provisioned this person and who approved it,' the spreadsheet has no answer, and you spend a week reconstructing access history from memory and Slack scrollback.

$40k+
typical entry cost for an access-aware internal tool
3 to 6 mo
realistic timeline to production
12 to 60
headcount jump that breaks the spreadsheet
SOC 2
the audit the spreadsheet can't pass

Why the usual tools struggle in Ann Arbor

  • Onboarding and access grants live in a spreadsheet nobody can audit, so least-privilege is aspirational
  • Hiring in waves means provisioning gets done by whoever's free, with no approval chain or record
  • Offboarding misses systems, leaving ex-employees with live access to AV data or biotech IP
  • A customer security review or SOC 2 audit has no clean access-history trail to show

What a custom internal tools build changes

You go custom when access control becomes a compliance liability, not a convenience. A build for an Ann Arbor startup wires onboarding, role-based provisioning, approval workflows, and offboarding into one tool with a full audit trail. It's the difference between answering a security review in an hour and losing a deal because you can't prove who touched the data.

The features that matter for Ann Arbor

What to build in
+Role-based access control with templated provisioning per job function
+Approval workflows that route access requests to the right owner before granting
+Automated offboarding that revokes access across all connected systems in one action
+Full audit log of grants, approvals, and revocations exportable for SOC 2 evidence
+Onboarding checklists tied to actual provisioning so a hire isn't 'done' until access is correct
+Integrations to Slack, GitHub, AWS, and your identity provider so the tool is the source of truth

Internal Tools services we deliver in Ann Arbor

Digital Heroes builds the full internal tools stack for Ann Arbor teams. Typical engagements cover workflow automation, back-office software, operations tooling, approval workflows and internal portal.

Build custom when
  • You're hiring in waves and provisioning has no consistent owner or record
  • A SOC 2 audit or enterprise security review is on your roadmap in the next year
  • Your data is sensitive (AV logs, biotech IP) and least-privilege is currently honor-system
  • Offboarding has already left live credentials behind at least once
Buy or configure when
  • You're under 20 people and a spreadsheet plus discipline still works
  • Off-the-shelf IT tools like Okta or BetterCloud already cover provisioning for you
  • You have no compliance pressure and no especially sensitive data
  • You can't dedicate an owner to maintain an internal tool

Internal Tools pricing in Ann Arbor: the real numbers

Project scopeTypical costTimeline
Onboarding and access tool with audit trail$40k to $70k3 to 4 months
Full provisioning hub with approvals and SaaS integrations$80k to $120k5 to 6 months
Access-audit layer over existing Okta or Google Workspace$30k to $55k2 to 3 months
Cost by project scopeCost by project scopeOnboarding and access tool with audit trail$40k to $70kFull provisioning hub with approvals and SaaS integrations$80k to $120kAccess-audit layer over existing Okta or Google Workspace$30k to $55k
Typical project cost bands. Source: Digital Heroes 2026 delivery benchmarks.
What drives the price up mostWhat drives the price up mostRole-based access and approval workflow engineSaaS and identity-provider integrationsAudit-trail and SOC 2 evidence reportingOffboarding automation across systems
What pushes the price up most, relative impact.

From kickoff to launch: the schedule

Delivery timeline by phaseDelivery timeline by phaseDiscovery2 wkDesign2 wkBuild6 wkTest2 wkLaunch1 wk
Indicative delivery timeline by phase.
Ready to price this for your Ann Arbor team?
A 30-minute call gets you a named team, fixed scope and a real quote within 48 hours.
Talk to Digital Heroes

Exactly what you get

An internal hub that knows exactly who can touch what, why, and on whose approval. Concretely: role-based provisioning, approval workflows, one-action offboarding, and an audit log built for SOC 2 evidence, wired into Slack, GitHub, AWS, and your identity provider. You also get source code and documentation of your access policy. What you don't get is a spreadsheet that says someone was onboarded while three systems quietly still have their key after they leave. This tool usually grows alongside your HR (Human Resources) software and custom internal dashboards.

How to choose a developer in Ann Arbor

Find a team that asks about your offboarding gaps in the first call. If they show you a UI before they ask about approval chains and audit trails, they're building a viewer, not an access system. Ask for a reference that shipped under SOC 2 or an enterprise security review. A strong partner will tell you when an audit layer over your existing Okta beats a from-scratch tool, and will connect provisioning to your HR software so a new hire's access follows their employment record.

The benefits
  • Role-based provisioning with approval chains, so access is granted by policy, not by whoever's around
  • Automatic offboarding that revokes every system at once, ending the orphaned-credential problem
  • A complete audit trail of who got access, when, and who approved, ready for SOC 2 or a customer review
  • One internal hub replacing the onboarding spreadsheet, the access list, and the tribal knowledge
  • Least-privilege enforced by default, which matters when the data is vehicle logs or patient-derived samples
The trade-offs
  • Internal tools compete with feature work for engineering attention, so you must protect the budget
  • A custom access system needs an owner; an unmaintained provisioning tool becomes its own risk
  • You forgo Retool's speed of iteration for tools that genuinely need to change weekly
  • Integrations to every SaaS you use (Slack, GitHub, AWS, Okta) add scope and ongoing upkeep
Red flags when hiring (and what to ask instead)
  • !They pitch a pretty Retool dashboard without asking about audit trails; ask how access history is logged
  • !They've never built provisioning under SOC 2; ask for a reference with compliance requirements
  • !No plan for offboarding; ask how revocation works across every connected system
  • !They skip approval workflows; ask who authorizes a prod-access grant in their design
  • !They quote a 2-week build; ask what role-based access control with an audit log actually takes

If internal tools is on the roadmap, custom software, wordpress, accounting usually follow within the year. Budget them as one conversation.

Rohan Malhotra · Enterprise Software Consultant

Rohan advises mid-market and enterprise teams on ERP, CRM and custom software, and has led delivery on dozens of business-software builds.

Writes for Digital Heroes, shipping business software for 2,000+ brands across 55+ countries since 2017.

FAQ

Frequently asked questions

Can't Retool plus Airtable solve our onboarding?

For the checklist, yes. For access control, no. Retool builds the interface and Airtable holds the list, but neither enforces roles, routes approvals, or logs an audit trail an auditor will accept. The gap is enforcement and evidence, which is exactly what a security review demands and what spreadsheets can't supply.

How long before a custom Ann Arbor internal tool pays for itself?

Often inside a year once you factor in the enterprise deals that stall on security reviews. If a single customer contract is gated on proving access controls, the tool that unblocks it pays for itself in one signature, before counting the engineering time saved on manual provisioning.

Isn't this just buying an identity provider like Okta?

Okta covers authentication and some provisioning, and you should use it. The custom layer is the approval workflows, the onboarding-to-access tie, and the audit reporting shaped to your data sensitivity. Many Ann Arbor startups run a thin custom tool on top of Okta rather than replacing it, which is the cheaper path.

Keep reading