Tenant Isolation¶
Executive Summary¶
Tenant Isolation defines the specific architecture rules that prevent one customer organization from accessing another customer's users, data, documents, events, AI memory, analytics, integrations, or audit records.
Why This Exists¶
Tenant isolation is the foundation of Algosure's enterprise trust model. Every system boundary must assume cross-tenant exposure is a critical security failure.
Owner¶
The owner is the Chief Product Officer and Enterprise Architect.
Business Value¶
Tenant isolation protects confidential procurement data, compliance evidence, bid documents, commercial funding information, user identities, and AI context.
Isolation Model¶
flowchart TB
TenantA[Tenant A]
TenantB[Tenant B]
subgraph Controls["Isolation Controls"]
API[API Tenant Resolution]
Authz[Authorization]
Row[Row-Level Tenant Filtering]
Docs[Document Access Control]
Events[Event Tenant Metadata]
AI[AIOS Memory Isolation]
Audit[Audit Separation]
end
TenantA --> Controls
TenantB --> Controls
Isolation Controls¶
| Control | Requirement |
|---|---|
| API tenant resolution | Tenant must be resolved server-side before business work. |
| Organization validation | Organization context must belong to the resolved tenant. |
| Row-level tenant filtering | Repository and query boundaries must enforce tenant filters for tenant-owned records. |
| Document access control | Documents require tenant metadata, organization context, classification, and permission checks. |
| Event tenant metadata | Events must include tenant and organization context where applicable. |
| Search and analytics isolation | Search indexes and analytics projections must preserve tenant boundaries. |
| Vector memory isolation | Semantic memory and embeddings must be tenant-scoped and source-attributed. |
| Integration isolation | External credentials, provider links, webhooks, and imported data are tenant-bound. |
| Audit isolation | Audit records must identify tenant context and prevent unauthorized cross-tenant review. |
Data Access Rules¶
| Rule | Requirement |
|---|---|
| No tenant-less customer records | Customer data must not be stored without tenant context unless explicitly classified as platform-wide reference data. |
| No client-controlled isolation | Client-supplied tenant IDs are validated, not trusted. |
| No cross-tenant joins by default | Cross-tenant operational queries are prohibited unless explicitly governed for platform administration or analytics. |
| No shared document buckets without metadata controls | Object storage must enforce tenant-scoped metadata and access checks. |
| No shared AI memory | AIOS memory cannot mix tenant context unless data is explicitly approved and anonymized for cross-tenant learning. |
Administrative Access¶
Platform administration access is exceptional and must be least-privilege, MFA-protected, policy-governed, and fully audited.
Non-Implementation Boundary¶
This document does not define PostgreSQL RLS policy syntax, schema design, object storage ACLs, search index design, or vector store implementation.