How we protect tenant data.

NextEAM is a single codebase running across many customer tenants. Every record carries a tenantIdcolumn. Three independent layers enforce that records from one tenant never leak into another's response.

JWT-scoped session

Every authenticated request carries a tenantId from the user’s session token. The backend rejects tokens missing or mismatched against the request URL.

Prisma middleware tenant scoping

A database-layer middleware automatically injects the active tenantId into every read and write — even if a service forgets to add it, the middleware refuses the query without it.

Per-tenant Postgres row-level controls

Tenant-bound entities are queryable only with the active tenant context. The escape hatch (PrismaService.unscoped) is auditable, alarmed, and used only for platform-administration paths.

Cross-tenant isolation E2E spec

A Playwright spec runs in CI on every change. It logs in as two separate tenants and exhaustively asserts that neither can read, mutate, or enumerate the other’s data through any documented endpoint.

Controls from the National Cybersecurity Authority Essential Cybersecurity Controls (NCA ECC) are mapped to specific platform behaviours, not just policy documents. Below is a representative subset; a full crosswalk is available on request as part of the compliance pack.

Identity, authentication, and access (ECC-2-3)

Password complexity enforcement, optional MFA via TOTP, SSO/SAML in the Enterprise tier, role-based access control with module-level entitlements, force-change-password on first login.

Audit logging (ECC-2-12)

Every state-changing API call is logged with tenantId, userId, entity, action, timestamp, and source IP. The interceptor is decorated onto controllers — coverage is verified at build time, not assumed.

Vulnerability management (ECC-2-10)

Dependency CVE scanning runs in CI on every change. Container images are scanned with Trivy at build. A documented findings register tracks known issues by severity with remediation owners.

Network segmentation

Public ingress is restricted to the application gateway. Database, queue, and AI services are reachable only from application containers within the private network.

Secrets management

Production secrets are stored in an encrypted secrets vault with 90-day rotation policy. Application containers receive secrets at runtime, not baked into images.

Continuity is treated as code, not policy. Backups are tested by restore. DR procedures are exercised. Incident response is a runbook, not a phone tree.

Backups

Postgres Point-in-Time Recovery enabled with continuous WAL archiving. Daily logical dumps to object storage. Restore tested quarterly into an isolated environment.

High availability

Multiple backend instances behind a load balancer. Managed Postgres with synchronous replication. Static assets served from the CDN edge. Health endpoints monitored externally.

Disaster recovery

RPO target: 15 minutes (continuous WAL archive). RTO target: 4 hours for full region restoration from snapshots. DR drill schedule documented in the operations runbook.

Incident response

A 72-hour SDAIA breach-notification runbook is documented and accessible to on-call staff. A tenant-admin notification template is pre-staged. Severity-driven communication cadence (initial / interim / resolution).

Change management

Every production change goes through a pull request, automated tests, security and dependency scans, and a documented release. Production access is gated, logged, and audit-trailed.