Tenant isolation enforced
by the database.

See the highlighted block above the contents list. The rest of this article explains why the distinction between database-enforced isolation and application-enforced isolation is the question an airline IT review should be asking — and what it changes for procurement.

A safety management system holds the most sensitive operational data an airline produces. Confidential occurrence reports. Investigation findings. Hazard registers. The honest assessment of where the operation is weak and what has not yet been fixed. This is not marketing data. It is the record of where your operation could be hurt.

In a multi-tenant platform, your data and a competitor's data live in the same system. That is normal and efficient — it is how modern software is built. The question that matters is not whether the data shares infrastructure. It is what stopsone operator from ever seeing another's rows. For aviation safety data, that answer is competitive insurance: a single accidental disclosure of confidential reports across operators would be unrecoverable, both for the airlines involved and for the reporting culture the data depends on.

So the right procurement question is sharp: where, exactly, is the boundary between my data and everyone else's — and what happens if a developer makes a mistake?A vendor that answers “we have controls in place” has not answered it. A vendor that can name the layer where the boundary is enforced has.

There are two places a multi-tenant platform can draw the boundary, and the difference is the whole story.

Isolation in application code.The common pattern. Every query the platform runs must remember to add a clause that says “only this organisation's rows.” When it is present, the data is separated. The catch is the word remember: a platform has thousands of queries, and a new endpoint, a background job, a hand-written report or a refactor can ship a query path that simply forgets the clause. One missing filter and a query returns another operator's rows. The data is always one mistake away from crossing tenants, and the mistake is invisible until it leaks.

Isolation enforced by the database. The boundary is moved below all of that. eAviora applies row-level securityto every shared table, so the database itself refuses to return rows that do not belong to the organisation making the request. A query that arrives without the organisation's context returns zero rows at the database edge— not a partial result, not someone else's data, nothing. The application is no longer the last line of defence. The database is.

This is the load-bearing claim, stated plainly: in eAviora, a query that is missing your organisation's context returns zero rows, across 119 organisation-scoped tables, so a single application bug cannot expose another operator's data. The protection does not depend on every developer, on every future feature, remembering to add a filter. It depends on the database, which forgets nothing.

To keep that guarantee true as the product grows, a continuous-integration gate blocks any new endpoint or table that lacks the tenant filter. The check runs automatically before code can merge. So there are two independent layers working together: code that skips isolation never merges, and if it somehow did, the database still returns nothing. The two layers fail in opposite directions, which is the point.

An IT security or CISO review of a safety platform is, at heart, a search for the single point where a mistake becomes a breach. Database-enforced tenant isolation moves that point to the safest possible place. Here is what to ask for, and what the honest answer looks like.

• “Show me where the tenant boundary is enforced.” The answer is the database, not a code path. Isolation enforced at the database means the boundary holds even when application code is wrong.
• “What happens if a developer forgets the filter?” The query returns zero rows, because the database refuses it — and separately, the continuous-integration gate would have blocked the code from merging in the first place.
• “Does the API or an AI integration see more than a user would?” No. Every machine call runs the same checks as a person; there is no parallel weaker path. An integration cannot reach data a person in the same organisation could not.
• “Is the data in our jurisdiction?” Yes — Canadian data residency (ca-central-1), AES-256 at rest, TLS 1.3 in transit, with a named sub-processor register listing the third parties involved.
• “Can you prove what changed and when?” Yes — a tamper-evident audit trail records every change in the same step it happens, so the log cannot be edited after the fact to hide a change.

The contrast worth naming in a review: many platforms assert isolation on a marketing slide and enforce it only in application code, where one missing filter leaks across tenants. “We have controls in place” is a posture, not a boundary. A query that returns zero rows at the database edge is a boundary.

Database-enforced isolation is the centre of the answer, but a review wants the full picture. The surrounding posture, stated briefly:

• Data residency. Data is held in Canada (ca-central-1).
• Encryption. AES-256 at rest; TLS 1.3 in transit.
• Tamper-evident audit trail. Every change is logged in the same step it happens, so the record of what occurred cannot be quietly altered later.
• Named sub-processor register. The third parties that process data on our behalf are listed by name, not hidden behind a generic clause.
• One path for every caller.The API and the AI assistant run the same authorisation, the same database-enforced isolation and the same audit trail as an interactive user. No machine path is weaker than a person's.
• SOC 2. A SOC 2 examination is in preparation; the architectural controls a review asks about are in place today.

Each of these is documented for procurement. The Trust centre covers residency, encryption and the sub-processor register; the security one-pager is the short artefact a CISO can attach to a review; the developer documentation describes how every machine call is subject to the same checks; and the privacy policy sets out how data is handled. To walk a specific IT review through your operation, contact us.