Skip to Content
Security & TrustTenant Isolation

Tenant Isolation

Tenant isolation is the set of controls used to keep each customer organisation’s users, workspace context and data separated from other customers on the Nairo platform.

This page describes the current tenant isolation model at a high level.

For contractual or deployment-specific commitments, refer to the applicable agreement, data processing terms and security materials provided by Nairo.

How tenant isolation works

Nairo uses a combination of:

  • Workspace URL or slug
  • Clerk organisation membership
  • Tenant context on API requests
  • Backend tenant resolution
  • Schema-based tenant data separation
  • Workspace-level document and folder access controls

Tenant isolation is not only a frontend routing convention. Tenant context is resolved and applied by backend services before tenant-aware operations are executed.

Tenant identity

Each customer workspace has a tenant identifier, typically reflected in the workspace URL or workspace slug.

When a user accesses a workspace URL, Nairo resolves the intended workspace context. The frontend includes tenant context when calling tenant-aware backend APIs.

The backend then resolves the active tenant before executing tenant-scoped operations.

Authentication and organisation binding

Nairo uses Clerk for authentication and organisation membership.

Each workspace is associated with an organisation context. When a user navigates to a workspace URL, Nairo checks that the authenticated user is operating in the expected organisation context for that workspace.

If the user’s authenticated organisation context does not match the workspace, access is blocked or the user is redirected to authenticate in the correct context.

This reduces the risk of a user authenticated in one organisation accessing another customer’s workspace.

API tenant context

Tenant-aware API requests include workspace context.

The backend resolves tenant context before executing tenant-scoped services. This helps ensure that tenant-aware operations run against the correct customer workspace.

Application routes that require tenant context should not rely only on client-side state. The backend is responsible for resolving and applying tenant context for tenant-aware service execution.

Database separation

Nairo uses schema-based tenant data separation for tenant-aware backend services.

In the current implementation, tenant-aware services use tenant-scoped database access patterns so customer data is separated by tenant schema.

This is different from a dedicated database per customer. Dedicated database or dedicated infrastructure models may be considered separately for specific enterprise deployments, but they are not the default tenant model today.

Platform vs customer workspaces

Platform administration and customer workspace access are treated as separate contexts.

Platform-level functions, such as tenant registry or provisioning operations, are distinct from normal customer workspace operations.

Customer workspace access still depends on authentication, organisation membership, tenant context and relevant permissions.

What tenant isolation covers

LayerCurrent implementation
Workspace URL / slugIdentifies the intended customer workspace
AuthenticationUser identity and organisation membership are handled through Clerk
Tenant contextFrontend requests include workspace context for tenant-aware APIs
Backend resolutionBackend services resolve tenant context before tenant-scoped operations
Data separationTenant-aware services use schema-based tenant data separation
Document accessLibrary sharing controls document and folder visibility within a workspace
AdministrationUser and permission administration is scoped to the relevant workspace context

Access within a tenant

Tenant isolation separates one customer workspace from another customer workspace.

It does not mean every user inside the same workspace can access every document or every administrative feature.

Within a workspace:

  • Organisation roles control broad user access
  • Admin permissions control access to administrative pages
  • Library sharing controls access to specific documents and folders
  • Product surface access may depend on workspace configuration and enabled permissions

Customer administrators remain responsible for assigning users, managing access and deciding who should see sensitive materials.

What tenant isolation does not guarantee alone

Tenant isolation does not replace:

  • Customer-side identity governance
  • Internal access policies within a workspace
  • Careful Library sharing and folder permission management
  • Contractual data processing agreements
  • Security and procurement review
  • Retention and deletion policies
  • Human review of AI-generated outputs

Tenant isolation also does not mean Nairo provides a dedicated database or dedicated infrastructure per customer by default.

Getting started

During onboarding, confirm:

  • The correct workspace URL or slug
  • The organisation mapped to the workspace
  • Which users should be invited
  • Which users should have administrator access
  • Which Library folders or documents should be shared
  • Which product surfaces the pilot users should access

Pilot users should be invited to the correct organisation before they access workspace data.