Pillar 4
Tenant Isolation
Multi-tenant by design, isolated by enforcement. Every query is tenant-scoped, every export is tenant-specific, and platform operations are separated from customer context.
What you get
- Every query includes WHERE tenant_id = $1 from the authenticated session
- Cross-tenant access returns 404, not 403 — prevents resource enumeration
- Ops portal uses separate staff IAM with capability-based access, not tenant membership
- Audit exports are per-tenant — no cross-tenant bundle exists
- Token suffixes only in exports — share links cannot be reconstructed from audit data
How it works
- 1Auth resolves tenant
The tenant_id is resolved from the authenticated session by auth middleware — never from user-supplied input.
- 2Every query is scoped
Every database query in a customer context includes the tenant filter. Cross-tenant rows simply do not exist in the result set.
- 3Ops operates separately
Staff operations use a distinct IAM system with capability-based access. Impersonation is time-limited, logged, and non-extensible.