Logical data separation
Last updated: Jun 17, 2026
The platform stores all client data in a shared NoSQL database. Separation between clients is enforced at two layers.
Data model layer: Almost all records in the database are scoped to an organization, group, or user, with that identifier embedded in their composite key. Querying requires an exact partition key, and the platform's data access is built exclusively around such key-scoped queries, with no full-table scans. This creates a logical barrier between the data of different clients.
Application layer: Authorization is evaluated on every API request, not only at authentication time. It runs every time a function is executed. The application denies access by default: a valid session grants no data access on its own, but rather, access to each organization and group requires an explicit role assignment. See Authorization for clients for details.
The key structure supports natural data scoping by client, while the authorization layer is the enforced security control that prevents any authenticated user from accessing data outside the organizations and groups they have been explicitly granted access to.
Other confidentiality measures
Encryption in transit
Fluid Attacks ensures data security with TLSv1.3, HSTS, and 30-day certificate renewals, maintaining an SSL Labs A+ rating across all connections.
No personal gain
Fluid Attacks prohibits the exploitation of discovered vulnerabilities for personal gain. It ensures confidentiality and integrity in all engagements.