Platform Overview

Multi-Tenant Isolation

Complete data separation between organizations — from database queries to encryption scopes to processing pipelines.

Updated March 20266 min read

On this page

Tenant Model

Every organization in ComplyWise is represented as a Tenant. Users, scan jobs, controls, evidence, and all other resources are associated with a unique tenant identifier. The organization identifier is embedded in the authentication token and enforced on every database query automatically. There is no mechanism in the platform to access data across tenant boundaries.

  • Unique tenant identifiers assigned at provisioning
  • Tenant association enforced on all models: users, scans, evidence, assessments

Row-Level Security

All database queries are scoped by organization at the application layer. Every request is authenticated and the user's organization is enforced on every query. The platform ensures consistent enforcement through automated query-level isolation.

  • Query-level tenant scoping on all database operations
  • No cross-tenant JOIN operations permitted
  • Automated tests verify tenant isolation on all endpoints
  • Admin endpoints use explicit tenant selection with audit logging

Encryption Scoping

Sensitive data such as integration credentials, API keys, and scan artifacts are encrypted using industry-standard encryption with cloud-managed keys. Each tenant's encryption operations use a scoped key grant, ensuring that one tenant's encrypted data cannot be decrypted by another tenant's key context. Evidence and report artifacts use server-side encryption with per-object keys.

  • Cloud-managed key infrastructure for encryption key management
  • Per-tenant key grants for credential encryption/decryption
  • Server-side encryption for all stored objects
  • TLS for all network communication

Isolated Processing

Compliance scan jobs for each tenant are processed independently. Scanner invocations are scoped to a single tenant and a single integration. Scan results are written to tenant-scoped storage. There is no shared memory, shared file system, or shared state between processing pipelines of different tenants.

  • Processing invocations are stateless and tenant-scoped
  • Object storage paths are structured for tenant isolation
  • No shared temporary storage between tenants
  • Scan failures in one tenant do not affect other tenants

Tenant Provisioning & Deprovisioning

New tenants are provisioned through the admin panel or API. Provisioning creates the tenant record, assigns a license tier, and configures default framework access. Deprovisioning (when available) performs a soft delete, retaining data for the configured retention period before permanent removal. All tenant operations are recorded in the immutable audit log.

  • Admin panel for tenant creation with license tier assignment
  • Default framework access based on license level
  • Soft-delete with configurable retention for deprovisioned tenants
  • Full audit trail of all provisioning operations
Architecture & Data FlowRole-Based Access Control
← Back to Documentation