Docs
Sign in

Tenant isolation

Updated May 21, 20262 min read

Carriyo is a multi-tenant SaaS platform. Every tenant's data and traffic are isolated by design, through layered, independently enforced controls.

Tenant identity

Tenant identity is established at the moment of authentication and carried explicitly on every request. The API requires a tenant-id header alongside the OAuth bearer token and the x-api-key (see Authentication); the platform validates that the credentials, the requested tenant, and the resource being accessed are all aligned before any read or write proceeds. Requests that fail this check are rejected before any application logic runs.

Data segregation

Customer data isolation is a foundational design principle at Carriyo, enforced through multiple independent controls rather than any single mechanism. Tenant scoping is applied consistently from authentication through to data access, and reinforced by continuous testing in our development pipeline.

Carriyo applies a hybrid isolation strategy, calibrated to the sensitivity and operational characteristics of each data class. The platform combines shared infrastructure with strict logical separation for the majority of workloads, alongside dedicated provisioning for data classes where a higher degree of separation is warranted. These choices are made deliberately at design time and reviewed regularly as the platform evolves.

The outcome is unambiguous: a tenant's data is visible only to the principals authorized to act on that tenant's behalf, regardless of how or where it is stored.

Cross-tenant operations

A narrow set of internal capabilities supports diagnostics, runbooks, and customer-support workflows that may touch more than one tenant. Access to these capabilities is restricted to designated Carriyo personnel, separately authenticated, and subject to comprehensive audit logging. Every access is attributable to an identified individual, retained for review, and reported to internal security operations.

The API and the Dashboard cannot cross tenant boundaries by design.

Blast radius

Carriyo's multi-tenant architecture is engineered to absorb load asymmetry between tenants without performance or availability impact across the customer base. Tenant-aware controls bound the effect of any single tenant's unusual workload: it does not degrade another tenant's experience, and it does not expose data outside its authorized boundary. See API security for the tenant-level limits that govern this behavior.