Tenant isolation
Demerzel is multi-tenant: many organizations share the platform, but never each other’s data. Isolation is enforced on the server for every request, not left to the UI.
One organization per request
Each request runs in the context of exactly one active organization. Every query that reads your servers, domains, certificates, actions, alerts or activity is filtered by that organization’s identity. A record that belongs to another organization is simply not part of the result set.
No object leaks across tenants
Referencing a specific object you don’t own — a server, an alert, an invitation — does not return it. It behaves as if it does not exist (a plain “not found”), so nothing is disclosed by probing identifiers.
Roles are enforced server-side
Within an organization, what you can do is decided by your role — owner, admin or read-only — and checked on the server. A read-only member cannot mutate anything even by calling an endpoint directly; the check does not live in the browser. Only owners can grant ownership or delete the organization.
Everything is per-organization
Members, invitations, notification channels, connected agents, alert history and the audit log all belong to a single organization. Switching organizations switches the entire context; there is no combined, cross-tenant view.