Skip to main content
AC

Acme Cloud

EthicPages logoVisit EthicPages

Customer Data Isolation Policy

Last updated: January 15, 2026

Customer Data Isolation Policy

Document owner: Chief Information Security Officer (CISO), with VP Engineering as co-owner Version: 3.0 Effective date: January 1, 2026 Last updated: January 15, 2026 Classification: Public — Trust Center Review cadence: Annual review; updates for architecture changes Company: Acme Cloud, Inc. Address: 1200 Market Street, Suite 400, San Francisco, CA 94103, USA Primary contacts: trust@acmecloud.com | security@acmecloud.com | privacy@acmecloud.com

Definitions and Key Terms

TermDefinition
Customer DataAny data uploaded, created, or processed by customers using Acme Cloud services
Data IsolationTechnical and administrative controls preventing unauthorized access between customer data boundaries
TenantA customer organization with a distinct data boundary within the Acme Cloud platform
Multi-TenancyArchitecture where multiple customers share infrastructure while maintaining logical data separation
Tenant IDA unique, immutable identifier assigned to each customer organization
NamespaceA logical partition providing isolated scope for resources within a tenant boundary
Data BoundaryThe logical perimeter defining the extent of a customer's data isolation
Cross-Tenant AccessAny access pattern that traverses customer data boundaries (prohibited except for authorized support)
Logical IsolationSeparation achieved through software controls, access policies, and data partitioning
Physical IsolationSeparation achieved through dedicated hardware or infrastructure components
Row-Level SecurityDatabase controls enforcing tenant isolation at the individual record level
Column-Level SecurityDatabase controls restricting access to specific fields based on tenant context
Encryption BoundaryThe scope within which encryption keys provide protection
Key IsolationSeparate encryption keys for each tenant's data
Network IsolationSeparation of network traffic between tenants
Compute IsolationSeparation of processing resources between tenants
Storage IsolationSeparation of data storage between tenants
Blast RadiusThe scope of impact if a security control fails or is bypassed
Noisy NeighborPerformance impact from one tenant affecting others on shared infrastructure
Data ComminglingUnauthorized mixing of data from different tenants
Tenant ContextThe authenticated identity and authorization scope of a tenant request
Service AccountA non-human identity used for inter-service communication within tenant boundaries
Break-Glass AccessEmergency access procedures for authorized support with full audit
Data ResidencyThe geographic location(s) where customer data is stored and processed

Scope and Purpose

This Customer Data Isolation Policy establishes Acme Cloud, Inc.'s requirements for maintaining strict separation between customer data in our multi-tenant SaaS platform. The policy covers all customer data across all product tiers, including data at rest, data in transit, data in processing, metadata, logs, backups, and derived data. The purpose is to ensure that no customer can access, view, modify, or infer information about another customer's data, and that Acme Cloud personnel access is strictly controlled, audited, and minimized.

Isolation Objectives

ObjectiveDescriptionBenefit
ConfidentialityPrevent unauthorized disclosure of customer data between tenantsTrust and compliance
IntegrityPrevent unauthorized modification of customer data by other tenantsData accuracy
AvailabilityPrevent one tenant from impacting another's service availabilityReliable service
ComplianceMeet regulatory requirements for data separationLegal compliance
AuditabilityDemonstrate isolation effectiveness to customers and auditorsTransparency
Defense in DepthMultiple layers of isolation controlsReduced blast radius

Scope Applicability

ComponentIn ScopeIsolation LevelImplementation
Customer Application DataYesLogical + EncryptionTenant ID partitioning; per-tenant keys
Customer Uploaded FilesYesLogical + EncryptionTenant-prefixed storage; per-tenant keys
Customer ConfigurationYesLogicalTenant-scoped settings
Customer MetadataYesLogicalTenant ID filtering
Audit Logs (Customer)YesLogicalTenant-partitioned logs
API TrafficYesLogical + NetworkTenant authentication; rate limiting
Database StorageYesLogical + EncryptionRow-level security; field encryption
Cache StorageYesLogicalTenant-prefixed keys
Search IndexesYesLogicalTenant-partitioned indexes
Backup DataYesLogical + EncryptionTenant-isolated backups
Analytics/Derived DataYesLogicalTenant-scoped processing
System Logs (Operational)PartialAccess ControlRedacted customer data

Isolation Architecture

Multi-Tenancy Model

LayerIsolation ModelTechnologyTenant Boundary
ApplicationShared application; logical tenant contextNext.js/Node.jsTenant ID middleware
API GatewayShared gateway; tenant-scoped routingAWS API GatewayAuth + tenant validation
ComputeShared compute; tenant-scoped processingAWS Lambda/ECSRequest-level isolation
DatabaseShared database; row-level securityPostgreSQLTenant ID column + RLS
Object StorageShared buckets; tenant-prefixed pathsAWS S3Prefix + IAM policies
CacheShared cache; tenant-prefixed keysRedisKey prefix isolation
SearchShared cluster; tenant-partitioned indexesElasticsearchIndex per tenant
Message QueueShared queues; tenant-tagged messagesAWS SQSMessage attributes
CDNShared CDN; tenant-scoped pathsCloudflarePath-based routing

Tenant Identification

ComponentTenant ID SourceValidationPropagation
User AuthenticationJWT claim (tenant_id)Token signature; tenant membershipRequest context
API Key AuthenticationKey → tenant mappingKey validation; tenant lookupRequest context
Service-to-ServiceRequest header (X-Tenant-ID)Service auth + header validationDistributed tracing
Background JobsJob metadata (tenant_id)Job queue validationJob context
Webhooks (Outbound)Webhook configurationTenant-owned webhookPayload context
Webhooks (Inbound)Request signatureSignature verificationProcessing context

Isolation Boundaries

Boundary TypeEnforcement PointControl MechanismFailure Mode
AuthenticationAPI GatewayToken validation; tenant claimReject request (401)
AuthorizationApplication LayerTenant context checkReject request (403)
DatabaseQuery ExecutionRow-level security policiesFilter or block query
StorageObject AccessIAM policies; prefix validationDeny access
EncryptionData AccessPer-tenant key derivationDecrypt failure
NetworkVPC/Security GroupsNetwork policiesConnection refused
Rate LimitingAPI GatewayPer-tenant quotasThrottle (429)

Database Isolation

Row-Level Security (RLS)

Table CategoryRLS PolicyEnforcementVerification
Customer Data Tablestenant_id = current_tenant()Always enabled; no bypassAutomated testing
Audit Log Tablestenant_id = current_tenant() OR is_admin()Admin with auditAccess logging
System TablesRole-based accessNo tenant columnRole validation
Cross-Tenant ViewsProhibitedN/ASchema validation

Database Access Patterns

Access PatternTenant Context RequiredAdditional ControlsExample
Application QueryYes (always)RLS + query validationSELECT * FROM orders
Report GenerationYesRLS + scope limitingAnalytics aggregation
Data ExportYesRLS + rate limitingCustomer data export
Admin QueryYes (with elevation)Audit logging; approvalSupport investigation
Migration ScriptN/A (schema only)No data accessSchema changes
Backup/RestoreYes (per tenant)Encryption; access controlPoint-in-time recovery

Database Security Controls

ControlImplementationPurposeMonitoring
RLS PoliciesPostgreSQL policies on all tenant tablesQuery-level isolationPolicy audit
Connection PoolingTenant-aware pool; no connection reuseContext isolationPool metrics
Query ParameterizationPrepared statements onlySQL injection preventionStatic analysis
Tenant ID ValidationUUID format; existence checkInvalid tenant preventionError logging
Cross-Tenant Query BlockApplication-layer validationAccidental exposure preventionQuery analysis
Field-Level EncryptionSensitive fields encrypted with tenant keyDefense in depthEncryption audit

Storage Isolation

Object Storage Architecture

Isolation ControlImplementationEnforcementVerification
Path Prefixs3://bucket/{tenant_id}/...IAM policy; application validationPath audit
IAM PoliciesCondition: StringEquals s3:prefix/{tenant_id}/AWS IAMPolicy review
EncryptionPer-tenant KMS keyAWS KMS; key policyKey audit
Access LoggingS3 access logs with tenant attributionCloudTrailLog analysis
Cross-Tenant PreventionNo wildcard paths; no cross-prefix accessApplication validationAutomated testing
Pre-Signed URLsTenant-scoped; time-limitedURL generationURL validation

Storage Access Patterns

OperationTenant ValidationAdditional ControlsAudit
UploadPath prefix check; size limitsVirus scan; type validationUpload log
DownloadPath prefix check; ownershipRate limitingDownload log
DeletePath prefix check; soft deleteRetention policyDelete log
ListPrefix-scoped listing onlyPagination limitsAccess log
CopySame-tenant onlyNo cross-tenant copyCopy log
Bulk ExportTenant-scoped; approval requiredEncryption; expirationExport log

Encryption Key Isolation

Key TypeScopeRotationAccess
Tenant Master KeyPer tenantAnnualHSM; tenant admin
Data Encryption KeyPer tenant; derivedPer-use (envelope)Application only
Field Encryption KeyPer tenant; per field typeAnnualApplication only
Backup Encryption KeyPer tenantAnnualBackup system
Transport KeyPer tenant sessionPer sessionTLS termination

Application-Level Isolation

Request Processing

StageIsolation ControlFailure HandlingMonitoring
Request ReceiptExtract tenant from authReject if missingAuth metrics
Context InitializationSet tenant context in request scopeReject if invalidContext metrics
AuthorizationVerify tenant membershipReturn 403Auth failures
Business LogicPass tenant context to all operationsPropagate contextOperation metrics
Database QueryApply tenant filter (automatic via RLS)RLS blocks unauthorizedQuery metrics
ResponseFilter response to tenant data onlySanitize responseResponse audit
LoggingInclude tenant ID; exclude cross-tenantRedact sensitiveLog analysis

Service Isolation

Service TypeIsolation MechanismContext PropagationVerification
API ServicesJWT tenant claimRequest headerToken validation
Background WorkersJob metadata tenant IDQueue messageJob validation
Event ProcessingEvent envelope tenant IDEvent payloadEvent validation
Scheduled TasksPer-tenant task schedulingTask contextTask audit
WebhooksTenant-specific endpoints/secretsWebhook configSignature validation

Code-Level Controls

ControlImplementationEnforcementTesting
Tenant Context RequiredMiddleware injectionCompile-time checkUnit tests
Query Builder ValidationAutomatic tenant filter injectionORM integrationQuery tests
Cross-Tenant DetectionStatic analysis; runtime checksCI/CD pipelineSecurity tests
Logging SanitizationAutomatic PII redactionLogging frameworkLog audit
Error Message FilteringGeneric errors for isolation failuresError handlerError tests

Network Isolation

Network Architecture

LayerIsolation ControlImplementationMonitoring
EdgeWAF rules; DDoS protectionCloudflareAttack metrics
Load BalancerNo tenant-specific routingAWS ALBTraffic metrics
ApplicationTenant context from authApplication codeRequest metrics
DatabasePrivate subnet; no direct accessVPCConnection metrics
Inter-ServiceService mesh; mTLSInternal networkService metrics
OutboundNAT gateway; egress filteringVPCEgress metrics

Network Security Controls

ControlPurposeImplementationVerification
VPC IsolationNetwork boundaryAWS VPCNetwork audit
Security GroupsPort-level access controlAWS SGRule review
Network ACLsSubnet-level filteringAWS NACLACL review
Private EndpointsNo public database accessVPC endpointsEndpoint audit
TLS EverywhereTransport encryptionTLS 1.2+ mandatoryCertificate audit
mTLS for ServicesService authenticationInternal CACertificate validation

Support and Administrative Access

Support Access Model

Access LevelPurposeScopeControls
No Access (Default)Normal operationsAutomated systemsFull isolation
Metadata AccessTroubleshootingAccount info; usage statsAudit; time-limited
Read AccessInvestigationCustomer data (read-only)Customer consent; audit
Write AccessData correctionCustomer data (specific fix)Approval; supervision; audit
Full AccessEmergencyAll tenant dataBreak-glass; post-incident review

Access Request Process

StepRequirementVerificationDocumentation
1. RequestSupport ticket with justificationTicket systemRequest record
2. Customer ConsentCustomer approval (if data access)Written confirmationConsent record
3. ApprovalManager + Security approvalApproval workflowApproval record
4. Access GrantTime-limited; scope-limitedIAM policyGrant record
5. ActivityAll actions loggedFull audit trailActivity log
6. Access RevokeAutomatic expirationAutomatedRevocation record
7. ReviewPost-access reviewSecurity reviewReview record

Break-Glass Procedures

ScenarioAuthorizationTime LimitPost-Incident
Production IncidentOn-call engineer + manager4 hoursIncident review
Security IncidentSecurity team + CISOAs neededFull investigation
Legal RequirementLegal + CISOPer requirementCompliance record
Customer EmergencyCustomer + Support lead2 hoursCustomer debrief

Monitoring and Verification

Isolation Monitoring

MonitorWhat It DetectsAlert ThresholdResponse
Cross-Tenant Query AttemptQueries attempting to access other tenantsAny occurrenceImmediate investigation
RLS Policy FailureRow-level security not enforcedAny occurrenceBlock + alert
Unauthorized Storage AccessS3 access outside tenant prefixAny occurrenceAccess revocation
Tenant Context MissingRequests without tenant identificationAny occurrenceRequest rejection
Key Access AnomalyUnusual encryption key usage patternsDeviation from baselineInvestigation
Admin AccessSupport access to customer dataAny occurrenceAudit review

Verification Testing

Test TypeFrequencyScopeOwner
Automated Isolation TestsEvery deploymentAll isolation controlsEngineering
Penetration TestingQuarterlyCross-tenant attack scenariosSecurity
RLS Policy AuditMonthlyAll database policiesDatabase team
Access Control ReviewQuarterlyAll access configurationsSecurity
Key Isolation AuditMonthlyEncryption key boundariesSecurity
Code ReviewEvery PRIsolation-related changesEngineering

Compliance Verification

VerificationMethodFrequencyEvidence
SOC 2 AuditExternal auditorAnnualAudit report
ISO 27001 AuditExternal auditorAnnualCertification
Customer AuditCustomer reviewOn requestAudit response
Internal AuditSecurity teamQuarterlyInternal report
Automated ComplianceContinuous monitoringReal-timeDashboard

Incident Response

Isolation Breach Response

SeverityDefinitionResponse TimeActions
CriticalConfirmed cross-tenant data accessImmediateContainment; customer notification; forensics
HighAttempted cross-tenant access (blocked)1 hourInvestigation; control verification
MediumIsolation control degradation4 hoursRemediation; monitoring increase
LowIsolation monitoring gap24 hoursGap closure; process improvement

Breach Notification

StakeholderNotification TriggerTimelineContent
Affected CustomerConfirmed data exposure72 hours maxScope; impact; remediation
All CustomersSystemic isolation failure72 hours maxIncident summary; assurance
RegulatorsReportable breachPer regulationRequired details
InternalAny isolation incidentImmediateFull details

Post-Incident Actions

ActionTimelineOwnerOutput
Root Cause Analysis5 daysSecurity + EngineeringRCA document
Control Enhancement30 daysEngineeringImproved controls
Customer CommunicationAs appropriateCustomer SuccessUpdated trust documentation
Process Improvement30 daysSecurityUpdated procedures
Audit Trail PreservationImmediateSecurityEvidence package

Numbered Policy Statements

  1. Tenant Isolation Mandate: All customer data must be logically isolated using tenant identification at every layer of the application stack.

  2. Tenant ID Requirement: Every request, query, job, and operation involving customer data must include and validate tenant context.

  3. Row-Level Security: All database tables containing customer data must have row-level security policies enforcing tenant isolation.

  4. Storage Path Isolation: Customer files must be stored in tenant-prefixed paths with IAM policies preventing cross-tenant access.

  5. Encryption Key Isolation: Customer data must be encrypted with tenant-specific keys derived from unique tenant master keys.

  6. Cross-Tenant Prohibition: Direct cross-tenant data access is prohibited at all layers; no API, query, or process may access multiple tenants' data in a single operation.

  7. Support Access Control: Acme Cloud personnel may only access customer data with documented justification, appropriate approval, customer consent (where required), and full audit logging.

  8. Access Time Limits: Administrative access to customer data must be time-limited and automatically revoked upon expiration.

  9. Isolation Testing: Automated tests verifying tenant isolation must run on every deployment; failures block release.

  10. Monitoring Requirement: Cross-tenant access attempts must be monitored in real-time with immediate alerting on any anomalies.

  11. Audit Trail: All access to customer data must be logged with tenant context, accessor identity, timestamp, and action performed.

  12. Breach Notification: Confirmed cross-tenant data exposure must be reported to affected customers within 72 hours.

  13. Defense in Depth: Multiple isolation controls must be implemented at each layer; single-point-of-failure isolation is prohibited.

  14. No Data Commingling: Customer data may not be combined, aggregated, or processed together with other customers' data except in anonymized, aggregated form for product improvement.

  15. Vendor Isolation: Third-party integrations must maintain equivalent tenant isolation; customer data may not be shared across vendor tenant boundaries.

Framework Appendix

Compliance Mapping

RequirementSOC 2 CriteriaISO 27001 ControlGDPR ArticleImplementation
Logical access controlsCC6.1A.9.1.1Art. 25, 32Tenant isolation architecture
Data segregationCC6.1A.8.1.1Art. 25Multi-tenancy model
EncryptionCC6.1A.10.1.1Art. 32Key isolation
Access monitoringCC7.2A.12.4.1Art. 32Monitoring section
Breach notificationCC7.3A.16.1.1Art. 33, 34Incident response
Data processing limitsCC6.7A.13.2.1Art. 28Cross-tenant prohibition

NIST CSF Mapping

CSF CategorySubcategoryPolicy Implementation
PR.AC-4Access permissions managedTenant-scoped authorization
PR.DS-1Data at rest protectedEncryption key isolation
PR.DS-2Data in transit protectedTLS; tenant context propagation
PR.DS-5Protections against data leaksCross-tenant controls
PR.PT-3Access to systems controlledSupport access model
DE.CM-7Monitoring for unauthorized accessIsolation monitoring

SOC 2 Trust Services Criteria

CriteriaDescriptionPolicy Implementation
CC6.1Logical access securityTenant authentication and authorization
CC6.2Registration and authorizationTenant provisioning and access grants
CC6.3Role-based accessTenant context in roles
CC6.6Restriction of accessCross-tenant prohibition
CC6.7Transmission protectionNetwork isolation; TLS
CC7.2System monitoringIsolation monitoring

Related Trust Center documents

security overview, access control, encryption standards, information classification, data retention, audit logging

Document revision history

VersionDateAuthorSummary of changes
1.02024-06-01Legal & ComplianceInitial Trust Center publication
2.02025-03-15GRC ProgramSOC 2 Type II alignment refresh; expanded subprocessors
2.52025-09-01Security EngineeringEncryption standards update; ISO 27001 mapping
3.02026-01-15Trust Center ProgramFull procurement-grade expansion; 34-document set

Contact

Acme Cloud, Inc. 1200 Market Street, Suite 400 San Francisco, CA 94103, USA

ChannelEmailUse case
Trust & procurementtrust@acmecloud.comSecurity questionnaires, trust reviews
Securitysecurity@acmecloud.comIncidents, vulnerabilities, control questions
Privacyprivacy@acmecloud.comDSRs, privacy assessments
Legallegal@acmecloud.comContractual, DPA, legal notices

Data Isolation Support Contacts

ContactRoleUse Case
security@acmecloud.comSecurity TeamIsolation concerns; incident reporting
privacy@acmecloud.comPrivacy TeamData boundary questions; compliance
support@acmecloud.comCustomer SupportAccess requests; data questions
trust@acmecloud.comTrust TeamAudit requests; security questionnaires

Appendix: Tenant Isolation Verification Checklist

LayerVerification ItemTest MethodFrequency
AuthenticationTenant claim present in all tokensAutomated testEvery auth flow
AuthorizationCross-tenant access rejectedPenetration testQuarterly
DatabaseRLS policies active on all tenant tablesSchema auditMonthly
DatabaseCross-tenant query returns zero rowsAutomated testEvery deployment
StorageCross-prefix access deniedIAM policy testMonthly
StoragePre-signed URLs scoped to tenantURL validationEvery deployment
EncryptionTenant keys isolatedKey access auditMonthly
APITenant context propagatedRequest tracingEvery deployment
LogsNo cross-tenant data in logsLog auditWeekly
BackupsTenant backup isolationRestore testMonthly

Document Version: 3.0 Last Updated: January 15, 2026

Last updated: January 15, 2026
EthicPages logoEthicPages