Open app

Tenant isolation

Demerzel is multi-tenant: many organizations share the platform, but never each other’s data. Isolation is enforced on the server for every request, not left to the UI.

One organization per request

Each request runs in the context of exactly one active organization. Every query that reads your servers, domains, certificates, actions, alerts or activity is filtered by that organization’s identity. A record that belongs to another organization is simply not part of the result set.

No object leaks across tenants

Referencing a specific object you don’t own — a server, an alert, an invitation — does not return it. It behaves as if it does not exist (a plain “not found”), so nothing is disclosed by probing identifiers.

Roles are enforced server-side

Within an organization, what you can do is decided by your role — owner, admin or read-only — and checked on the server. A read-only member cannot mutate anything even by calling an endpoint directly; the check does not live in the browser. Only owners can grant ownership or delete the organization.

Everything is per-organization

Members, invitations, notification channels, connected agents, alert history and the audit log all belong to a single organization. Switching organizations switches the entire context; there is no combined, cross-tenant view.

Belonging to several organizations is fine. A user can be a member of many organizations, but each session acts within one at a time — the switcher changes which, and access is re-checked against that organization every time.