Lesson 10 / 17
Database-enforced isolation
Tenants are kept apart at the database itself, with Postgres row-level security (RLS) set to FORCE, fail-closed and transaction-scoped. This is the most defensible part of the platform's security story. Key points:
- Isolation is enforced in the database, not by app-layer filtering you have to trust. The guarantee holds even if application code has a bug.
- RLS FORCE means even a privileged connection is subject to the row-level rules, so a query cannot quietly read across tenants.
- A grant is bounded by tenant. Access governance and connectors all sit inside that boundary; a grant cannot reach across tenants because the database will not let it.