Tenant Isolation
Tenant isolation is the set of controls used to keep each customer organisation’s users, workspace context and data separated from other customers on the Nairo platform.
This page describes the current tenant isolation model at a high level.
For contractual or deployment-specific commitments, refer to the applicable agreement, data processing terms and security materials provided by Nairo.
How tenant isolation works
Nairo uses a combination of:
- Workspace URL or slug
- Clerk organisation membership
- Tenant context on API requests
- Backend tenant resolution
- Schema-based tenant data separation
- Workspace-level document and folder access controls
Tenant isolation is not only a frontend routing convention. Tenant context is resolved and applied by backend services before tenant-aware operations are executed.
Tenant identity
Each customer workspace has a tenant identifier, typically reflected in the workspace URL or workspace slug.
When a user accesses a workspace URL, Nairo resolves the intended workspace context. The frontend includes tenant context when calling tenant-aware backend APIs.
The backend then resolves the active tenant before executing tenant-scoped operations.
Authentication and organisation binding
Nairo uses Clerk for authentication and organisation membership.
Each workspace is associated with an organisation context. When a user navigates to a workspace URL, Nairo checks that the authenticated user is operating in the expected organisation context for that workspace.
If the user’s authenticated organisation context does not match the workspace, access is blocked or the user is redirected to authenticate in the correct context.
This reduces the risk of a user authenticated in one organisation accessing another customer’s workspace.
API tenant context
Tenant-aware API requests include workspace context.
The backend resolves tenant context before executing tenant-scoped services. This helps ensure that tenant-aware operations run against the correct customer workspace.
Application routes that require tenant context should not rely only on client-side state. The backend is responsible for resolving and applying tenant context for tenant-aware service execution.
Database separation
Nairo uses schema-based tenant data separation for tenant-aware backend services.
In the current implementation, tenant-aware services use tenant-scoped database access patterns so customer data is separated by tenant schema.
This is different from a dedicated database per customer. Dedicated database or dedicated infrastructure models may be considered separately for specific enterprise deployments, but they are not the default tenant model today.
Platform vs customer workspaces
Platform administration and customer workspace access are treated as separate contexts.
Platform-level functions, such as tenant registry or provisioning operations, are distinct from normal customer workspace operations.
Customer workspace access still depends on authentication, organisation membership, tenant context and relevant permissions.
What tenant isolation covers
| Layer | Current implementation |
|---|---|
| Workspace URL / slug | Identifies the intended customer workspace |
| Authentication | User identity and organisation membership are handled through Clerk |
| Tenant context | Frontend requests include workspace context for tenant-aware APIs |
| Backend resolution | Backend services resolve tenant context before tenant-scoped operations |
| Data separation | Tenant-aware services use schema-based tenant data separation |
| Document access | Library sharing controls document and folder visibility within a workspace |
| Administration | User and permission administration is scoped to the relevant workspace context |
Access within a tenant
Tenant isolation separates one customer workspace from another customer workspace.
It does not mean every user inside the same workspace can access every document or every administrative feature.
Within a workspace:
- Organisation roles control broad user access
- Admin permissions control access to administrative pages
- Library sharing controls access to specific documents and folders
- Product surface access may depend on workspace configuration and enabled permissions
Customer administrators remain responsible for assigning users, managing access and deciding who should see sensitive materials.
What tenant isolation does not guarantee alone
Tenant isolation does not replace:
- Customer-side identity governance
- Internal access policies within a workspace
- Careful Library sharing and folder permission management
- Contractual data processing agreements
- Security and procurement review
- Retention and deletion policies
- Human review of AI-generated outputs
Tenant isolation also does not mean Nairo provides a dedicated database or dedicated infrastructure per customer by default.
Related areas
Getting started
During onboarding, confirm:
- The correct workspace URL or slug
- The organisation mapped to the workspace
- Which users should be invited
- Which users should have administrator access
- Which Library folders or documents should be shared
- Which product surfaces the pilot users should access
Pilot users should be invited to the correct organisation before they access workspace data.