diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
index 69b20db5..e95b6364 100644
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -7,6 +7,8 @@ class UsersController < ApplicationController
   authorize_resource :user, only: %i[new create]
 
   def index
+    authorize!(:manage, current_account)
+
     @users =
       if params[:status] == 'archived'
         @users.archived.where.not(role: 'integration')
diff --git a/app/views/start_form/_wabosign_logo.html.erb b/app/views/start_form/_wabosign_logo.html.erb
new file mode 100644
index 00000000..f65f6686
--- /dev/null
+++ b/app/views/start_form/_wabosign_logo.html.erb
@@ -0,0 +1,6 @@
+<a href="/" class="flex justify-center items-center">
+  <span class="mr-3">
+    <%= render 'shared/logo', width: '50px', height: '50px' %>
+  </span>
+  <h1 class="text-5xl font-bold text-center">WaboSign</h1>
+</a>
diff --git a/app/views/submit_form/_wabosign_logo.html.erb b/app/views/submit_form/_wabosign_logo.html.erb
new file mode 100644
index 00000000..c633f860
--- /dev/null
+++ b/app/views/submit_form/_wabosign_logo.html.erb
@@ -0,0 +1,4 @@
+<a href="<%= root_path %>" class="mx-auto text-2xl md:text-3xl font-bold items-center flex space-x-3">
+  <%= render 'shared/logo', class: 'w-9 h-9 md:w-12 md:h-12' %>
+  <span><%= Wabosign.product_name %></span>
+</a>
diff --git a/config/initializers/devise.rb b/config/initializers/devise.rb
index efa97448..c51bee29 100644
--- a/config/initializers/devise.rb
+++ b/config/initializers/devise.rb
@@ -334,6 +334,25 @@ Devise.setup do |config|
   # changed. Defaults to true, so a user is signed in automatically after changing a password.
   # config.sign_in_after_change_password = true
 
+  # NB: Wabosign-the-module relies on Rails.root, which isn't available yet
+  # when this initializer runs. Read ENV directly here so the omniauth strategy
+  # can be registered at boot. Controllers/models access the same values via
+  # Wabosign::GOOGLE_* once Rails is fully initialized.
+  google_client_id = ENV.fetch('GOOGLE_CLIENT_ID', nil)
+  google_client_secret = ENV.fetch('GOOGLE_CLIENT_SECRET', nil)
+  if google_client_id.present? && google_client_secret.present?
+    config.omniauth :google_oauth2,
+                    google_client_id,
+                    google_client_secret,
+                    {
+                      scope: 'email,profile',
+                      prompt: 'select_account',
+                      access_type: 'online',
+                      hd: ENV.fetch('GOOGLE_ALLOWED_DOMAINS', '')
+                              .split(',').map(&:strip).reject(&:empty?).presence
+                    }
+  end
+
   ActiveSupport.run_load_hooks(:devise_config, config)
 end
 # rubocop:enable Metrics/BlockLength