Back to app
Security and tenant isolation

Security and tenant isolation

How one client's data is kept separate from another's, what sign-in methods exist today, the compliance audit trail, and an honest read on certifications.

Reviewed AdminVertiqa 1.61+

This is the security posture you can describe to a client, stated as it is today — strong where it's strong, honest where there's a gap.

How one client's data is isolated from another's

Vertiqa is multi-tenant with organization-scoped isolation, enforced in two independent layers:

  • At the API layer. Every request is scoped to one organization, and every endpoint must explicitly declare the permission it requires — the system denies by default. An endpoint that forgets to declare a permission is refused, not silently opened.
  • At the database layer. Row-level security policies scope rows to their organization, so isolation holds even if a query is wrong. It's a second net under the first.

Each organization also gets its own subdomain, so tenants are separated at the address they sign in to as well as in the data.

Sign-in

  • Google sign-in and email/password are supported today. Passwords must meet a minimum strength policy.
  • Sign-in activity is visible to admins — an admin page shows recent authentication events for the organization.
  • SAML / enterprise SSO and MFA are not shipped yet. Don't imply otherwise. If a specific client requires SAML or enforced MFA, that's worth surfacing early as a real requirement rather than bluffing past it.

Roles and permissions

Access is role-based, with granular permission codes that a client's own admins manage. You can scope exactly what junior staff see and do, tighten a role that's been over-granted, or open one that's over-restricted. See Permissions.

Audit trail

Vertiqa keeps a typed compliance audit log covering more than 250 distinct action types — record changes, agent actions, permission and role changes, connector events, and more — alongside per-record timelines. For an SMB-scale platform that's an unusually complete trail, and it's fair to say so plainly.

Certifications — the honest line

  • No SOC 2 certification today. It's on the maturity path, not a claim to make now.
  • Internally, there is a security test suite exercising tenant isolation, IDOR-style access checks, and injection classes as part of the build.

Make no certification claims beyond that. Compliance statements to a client should go through Vertiqa before you commit to them in writing.

Was this helpful?