security

Multi-tenant isolation

One codebase, many companies, zero crosstalk.

Every row in every business table carries a tenant_id. Every query filters by it before leaving the database. Cross-tenant reads are impossible by construction, not by convention.

Row-level tenant scope on every query via a single dependency
Super-admin role is deliberately separate — cannot read tenant data by accident
Cascading delete on tenant removes every trace, no orphan rows
Tested in our integration suite with cross-tenant fuzz calls

How it works

FastAPI dependency `tenant_scope(user)` returns the tenant_id for admins/staff and None for super_admin. Every route uses it in the WHERE clause. A new route without this scope filter is rejected in review.

Start free Sign in

More security features

2FA (TOTP)
The standard second factor, in every account.
OIDC / SAML single sign-on
Corporate accounts signing in via your IdP.
Audit log
Every change, with who + when + what.
Soft-delete + super-admin restore
Mistakes happen. Data does not disappear.