Security & compliance
Enterprise controls for mission-driven teams
Security is layered: platform admins are separated from tenant actors; each organisation’s data stays in its tenant; functional roles grant least privilege; workspace sessions can require 2FA.
Key capabilities
Tenant isolation
Organisation workspaces are bounded contexts — users operate inside their NGO’s data, not a shared pool.
RBAC catalog
Privileges are catalogued by resource and action so Settings → RBAC shows a real matrix finance and IT can own.
Workspace 2FA
Two-factor authentication can be required before sensitive workspace actions.
How it works
Role-based access control
Instead of ad-hoc checks scattered in code, new capabilities become catalog privileges with migrations and tests. Functional roles assign combinations of privileges; legacy org roles can mirror behaviour where needed.
- resource_key + catalog_action matrix in admin UI
- Data scopes for row-level boundaries
- Self-service forms gated by atomic privileges
Themes & accessibility
Operators can switch light or dark theme from any marketing or workspace page — preference stored in a secure cookie for consistency. UI uses semantic tokens for contrast in both modes.
Public surfaces
Vendor hub, careers apply, kiosk attendance, and RFQ quote links use tokenised or scoped public routes — never exposing internal integer IDs or cross-tenant data.
Frequently asked questions
Common questions from NGO programme, finance, and IT teams evaluating this module.
How is tenant data isolated?
Each organisation is a bounded tenant context. Users operate only inside their NGO data; platform admins are rejected from tenant APIs.
Does the product support two-factor authentication?
Yes. Workspace sessions can require 2FA before sensitive actions.
How are self-service forms protected?
Atomic catalog privileges gate Me portal and API access so limited roles do not inherit full HR or finance visibility.