Blog / Security
Tenant isolation should be a database guarantee, not an application promise
Ask most SaaS vendors how they keep one customer from seeing another customer's data, and the honest answer is: "every query filters by tenant_id, and we've tested it thoroughly." That is an application-level promise. It depends on every route, every report, every ad-hoc script, forever, remembering to add the filter. It only takes one refactor, one new endpoint written under deadline pressure, or one raw query in a debugging script to turn that promise into an incident.
We did not want to build a platform that carries dozens of client organizations' tickets, devices, and compliance evidence on a promise like that. So tenant isolation in Nexus is enforced in two layers, and the second one does not trust application code at all.
Two layers, not one
- Application layer: every query is scoped to the current tenant, the way you would expect from any well-built multi-tenant system.
- Database layer: PostgreSQL row-level security policies, keyed to a session-level tenant identifier the database itself enforces. Even a query that forgot to filter by tenant cannot return another tenant's rows — Postgres refuses at the storage layer, not the application layer.
A bug in application code can forget a filter. It cannot talk Postgres out of a row-level security policy it doesn't know exists.
This matters more as a platform grows, not less. The more routes, reports, and integrations a system accumulates, the more surface area there is for an isolation bug to slip in at the application layer alone. Pushing the guarantee down into the database means new code inherits the protection by default, instead of every new engineer having to remember to re-implement it correctly.
This is also why unified tenant management — one HQ console that rolls up every client's tickets, projects, and alerts — doesn't weaken isolation. The rollup view is a read path that respects the same per-tenant boundary; it does not require loosening the underlying guarantee to exist. See the platform page for how HQ and per-tenant isolation coexist.