Tenant Isolation
Tenant isolation is the guarantee that one Qefro organization cannot read another organization’s knowledge, tools, conversations, members, or billing data. Inside a tenant, workspaces provide a second isolation layer for teams and audiences.
Short definition (citation-ready)
In Qefro, every authenticated API request resolves an organization (tenant). Knowledge indexes, Business Tools, conversations, and Admin Console configuration are scoped to that tenant — and further to AI Workspaces within it.
Two boundaries
| Boundary | Unit | Isolates |
|---|---|---|
| Tenant | Organization created at signup | Customers from each other |
| Workspace | AI Workspace (Support, HR, IT, …) | Teams / audiences inside a customer |
Concept deep dive: Multi-tenant AI Architecture.
Architecture
How requests are scoped
- Authenticate (user JWT, widget token, or channel webhook).
- Resolve tenant from the credential / host.
- Resolve workspace from channel binding or portal selection.
- Retrieve only from that workspace’s knowledge index.
- Allow only that workspace’s Business Tools.
- Attribute logs to tenant + workspace (+ actor when known).
Cross-tenant access requires platform Super Admin capabilities — not a tenant Admin role.
What stays inside the tenant
- Members, Teams, RBAC grants
- Workspaces and their documents
- Business Tool definitions and encrypted secrets
- Conversations and feedbacks
- Branding, custom domains, billing
Workspace isolation still matters
Tenant isolation does not mean one shared index for the whole company is safe. A public Customer AI channel bound to a workspace that also holds HR PDFs is still a disclosure risk — inside the same tenant.
See Customer AI vs Employee AI and What is an AI Workspace?.
Verification workflow
Prove isolation before go-live
- Create two workspaces — Support (customer-safe) and HR (internal).
- Ingest different corpora — Put a unique canary phrase only in HR.
- Bind the widget to Support — Ask for the HR canary via the widget.
- Expect refusal / miss — If the widget cites HR, isolation or binding is wrong.
- Repeat for tools — Ensure privileged tools are not attached to the public workspace.
Best practices
- One legal entity / billing customer → one organization
- Never share Admin Console logins across customers “for convenience”
- Use separate staging and production organizations when feasible
- Custom portal domains still map to a single tenant — treat hostname setup as a security change