Multi-Tenant Isolation: How We Keep Agency Data Separated

When agencies trust you with their client data, isolation is not optional. Here is how we built multi-tenant isolation into every layer of SpiderIQ.

Row-Level Security

Every table in our PostgreSQL database enforces row-level security policies. A tenant_id column exists on every table, and RLS policies ensure queries only return rows belonging to the authenticated tenant.

Encrypted Secrets

API keys, SMTP credentials, and OAuth tokens are encrypted at rest using AES-256-GCM with per-workspace encryption keys derived from a master key via HKDF.

Audit Trails

Every MCP tool call, every data access, every configuration change is logged to an append-only audit table with tamper-evident checksums.