Tenant data isolation

Maddict is multi-tenant: many agencies share the same application and database. The most important guarantee the platform makes is that no agency can ever see or touch another agency’s data. This page explains how that holds.

Membership-authoritative access

Access to a tenant’s data is decided by membership, not by guesswork or by the interface. On every request, Maddict checks that you are an active member of the agency whose data you’re touching. If you’re not — because you were never a member, were removed, or your agency is suspended or expired — the request is refused.

Enforced in the database with row-level security

The decisive control lives in the database, below the application:

Tenant tables have row-level security (RLS) policies.
Those policies restrict every read and write to rows belonging to the requester’s own tenant.
Because it’s enforced at the data layer, isolation holds even if something above it has a bug — there is no query that returns another tenant’s rows.

What’s isolated

Everything tenant-scoped is confined to its agency, including:

Audiences and saved audiences
Team membership and roles
Entitlements and plan usage
Activity attributable to the agency

Access ends the moment it should

Because access is re-evaluated on every request, changes take effect immediately:

A removed member loses access at once — existing sessions can’t keep reading tenant data.
A suspended or expired agency’s members are locked out until the agency is reactivated or renewed.

These actions are performed in the back-office and recorded in the audit log.

The audience data source, too

The external audience data API is reached only through Maddict’s tenant-aware, tier-gating proxy. Requests are scoped to your tenant and checked against your entitlements before any data is returned — your browser never queries it directly.

Security & complianceThe full set of platform controls.

Roles & permissionsHow membership and roles gate actions.