Security
Tenant isolation by design, not by hope
BaseCrew is built for corporate companies — especially Indian SMEs & MSMEs — who handle sensitive internal and client work. Your organisation's data is never visible to another customer.
Tenant isolation active
org-techfanatic · Enterprise
How we enforce isolation
Security is architectural - enforced at the database, API, storage, and test layers.
Database isolation
Every tenant record includes organizationId. Queries always filter by it - no exceptions.
Session-bound auth
Your session token includes your organization. The server rejects cross-tenant requests.
API enforcement
All routes resolve tenant from session, not from client-supplied IDs alone.
S3 path isolation
Screenshots and files stored under organization-specific paths in object storage.
Automated tests
Isolation test suite with duplicate names across two orgs - run on every deploy.
No UI-only security
We don't rely on hiding menu items in the browser as our security boundary.
Retention & deletion
Active subscription
Data retained while your subscription is active. Screenshots tiered to lower-cost storage over time per plan.
Deactivated account
90-day grace period with email warnings at 30 and 7 days before permanent deletion.
After deletion
Operational data and files permanently removed from our systems.
Full policy details are in our data isolation documentation. Questions? Get in touch via signup.