Organization boundaries are enforced
Apply organization scope to records, relationships, jobs, events, and audits, with database rules that reject cross-organization reads and changes.
Security and accountability
Protect membership records, payments, publication files, and connected work with enforced organization boundaries and narrowly authorized actions.
Preparing for a limited pilot. Production use follows an organization-specific migration, rehearsal, configuration, and approval.
The governing idea
Organization identity follows records, relationships, files, jobs, and audit entries, while tested data policies reject access from the wrong organization.
Separation at the source
01The browser does not get to decide which organization a person can access; verified relationships and permissions do.
Apply organization scope to records, relationships, jobs, events, and audits, with database rules that reject cross-organization reads and changes.
Keep member and publication assets in organization-scoped private storage and grant short-lived access only after a trusted decision.
Exercise reads, writes, files, audits, jobs, global identity, and guessed identifiers across multiple organizations in automated tests.
The right people and actions
02Named roles keep daily work understandable while stronger checks protect consequential actions and private member details.
Give owners, membership staff, finance staff, publication teams, integration administrators, volunteers, auditors, and members only the actions they need.
Require invitations, verified email, MFA, controlled role changes, session and account controls, and protection against removing the last owner.
Keep cross-organization support explicit, time-bound, reasoned, separately authorized, and audited alongside privacy, retention, and member-rights work.
Recovery and care
03Security includes what happens during an outage, provider failure, restore, privacy request, or other difficult operational moment.
Record administrative, financial, publication, integration, and support actions with the actor, organization, time, reason, and affected record.
Define database and private-file recovery, incident ownership, secret rotation, and replay procedures; configured backups and production restore evidence remain explicit launch gates.
Keep card details, service secrets, signed-link decisions, and cross-system effects out of the public client, with restricted headers and scoped service access.