Security and accountability

Your organization’s data stays separate, private, and accountable.

Protect membership records, payments, publication files, and connected work with enforced organization boundaries and narrowly authorized actions.

Preparing for a limited pilot. Production use follows an organization-specific migration, rehearsal, configuration, and approval.

The governing idea

One organization cannot read or change another organization’s data.

Organization identity follows records, relationships, files, jobs, and audit entries, while tested data policies reject access from the wrong organization.

Separation at the source

01

Enforce the boundary with the data.

The browser does not get to decide which organization a person can access; verified relationships and permissions do.

01

Organization boundaries are enforced

Apply organization scope to records, relationships, jobs, events, and audits, with database rules that reject cross-organization reads and changes.

02

Private files stay private

Keep member and publication assets in organization-scoped private storage and grant short-lived access only after a trusted decision.

03

The boundary is tested

Exercise reads, writes, files, audits, jobs, global identity, and guessed identifiers across multiple organizations in automated tests.

The right people and actions

02

Make sensitive access explicit.

Named roles keep daily work understandable while stronger checks protect consequential actions and private member details.

01

Roles match the work

Give owners, membership staff, finance staff, publication teams, integration administrators, volunteers, auditors, and members only the actions they need.

02

Administrator work gets stronger checks

Require invitations, verified email, MFA, controlled role changes, session and account controls, and protection against removing the last owner.

03

Support cannot roam silently

Keep cross-organization support explicit, time-bound, reasoned, separately authorized, and audited alongside privacy, retention, and member-rights work.

Recovery and care

03

Make trustworthy operations recoverable.

Security includes what happens during an outage, provider failure, restore, privacy request, or other difficult operational moment.

01

Important decisions leave a record

Record administrative, financial, publication, integration, and support actions with the actor, organization, time, reason, and affected record.

02

Recovery is a launch requirement

Define database and private-file recovery, incident ownership, secret rotation, and replay procedures; configured backups and production restore evidence remain explicit launch gates.

03

Sensitive processing stays private

Keep card details, service secrets, signed-link decisions, and cross-system effects out of the public client, with restricted headers and scoped service access.

See the whole system

Security should support the work, not obscure it.

Return to the product overview and see how the protected foundation supports the full member relationship.

Review the product