If you run a tool that holds other companies' work, the most important property isn't a feature. It's that one customer can never see another customer's data. In multi-tenant SaaS this is called tenant isolation, and it is the thing we treat as non-negotiable.
The workspace owns everything
In Gealo, a workspace (we also call it a tenant) is the owner of every row, every file and every message inside it. There is no such thing as an unscoped record. Every database row carries a workspace identifier, and project-scoped rows additionally carry a project identifier.
Isolation isn't one check, it's many
A single guard is a single point of failure. Isolation in Gealo is enforced at every layer a request passes through:
- Requests are resolved to a workspace first, then checked for membership before any handler runs.
- Database queries always filter by workspace; cross-workspace joins are treated as bugs.
- Caches are keyed with a workspace prefix, so a cached object can never be served to the wrong workspace.
- Realtime connections join only their own workspace and project rooms; there are no cross-workspace broadcasts.
- Files are stored under keys that include the workspace and project, and links are only ever signed after a permission check.
Permissions sit on top of isolation
Isolation answers "which workspace is this?" Permissions answer "what may this member do?" Gealo uses permission templates so that creating a project, editing a task, or managing billing are governed by explicit roles rather than implicit trust. A member of a workspace still can't read a project they're not a collaborator on.
Why we don't put limits in the browser
Plan limits (how many projects, how much storage, how large a file) are computed on the server from your plan, then expanded by any add-ons and tightened by any policies. The browser never decides what you're allowed to do; it only reflects what the server already enforces. That keeps the rules in exactly one place.
The takeaway
Good isolation is boring on purpose. You should never think about it, because it should never fail. That's the bar Gealo holds itself to, and it's why the security overview and trust center describe the controls in plain language rather than marketing.