Tenant Isolation

Tenant isolation is the operational expression of Enclave Architecture — the specific technical controls that enforce the data sovereignty commitment.

How Isolation Is Enforced

VouchCore enforces tenant isolation at multiple layers simultaneously, ensuring that no single failure can create a cross-tenant data exposure:

Application Layer

Every API endpoint that returns data requires a validated tenant ID in the request context. Queries that don't include the authenticated tenant's ID are rejected before they reach the data layer. There is no administrative endpoint that returns cross-tenant data.

Data Layer

All tenant data is namespaced by tenant ID in BigQuery and Firestore. Row-level security rules enforce that queries can only return data matching the authenticated tenant's namespace. A misconfigured application layer cannot accidentally expose cross-tenant data — the data layer enforces the same boundary independently.

IAM Layer

Service accounts are scoped to minimum required permissions per service. No service account has broad read access to all tenant data. Cross-tenant data access would require IAM escalation that is logged, alerted, and reviewed.

What "Isolation" Means for Your Data

When your organization's posture scan completes, the findings are written to your tenant's namespace and are accessible only through your authenticated session. No other VouchCore customer can see your findings. VouchCore's own operational team accesses tenant data only through documented, permissioned processes — not through broad administrative access.

Multi-Tenant vs. Single-Tenant

VouchCore operates on shared infrastructure (GCP Serverless) but enforces single-tenant data isolation at the logical layer. This is the standard model for enterprise SaaS — the infrastructure is shared, the data is not. Enterprise customers with specific requirements for dedicated infrastructure can discuss options during the Institutional Briefing process.