Have My Data Isolated from Other Organizations

Supabase Row Level Security (RLS) policies must be configured at session initialization based on the active tenant context. When a peer mentor selects an organization, the RLS tenant configurator sets the appropriate session variables that Supabase uses to filter all queries. The org data isolation guard wraps all data operations and verifies that the active tenant context is set before any query is executed. This is non-negotiable given that the app stores sensitive personal information including health information, contact details, and encrypted assignments — all governed by GDPR.

CRITICAL story-org-selection-onboarding-coordinator-006 8 pts

Story Points

Critical

Priority

Organization Selection & Onboarding

Feature

User Story

As a Coordinator

I want my activities, contacts, and personal data to be strictly isolated to my selected organization

So that I cannot accidentally view or modify data belonging to another organization, and my own data remains private

Acceptance Criteria

Given a peer mentor selects organization A, when they view their contacts or activities, then only data associated with organization A is returned
Given a peer mentor switches to organization B, when they view their contacts or activities, then only data associated with organization B is returned and no data from organization A is visible
Given a database query is attempted without an active tenant context, when the org data isolation guard detects this state, then the query is blocked and an error is logged
Given the RLS tenant configurator sets the session, when a Supabase query is executed, then the Supabase RLS policies enforce data isolation at the database level independently of client-side filtering
Given a peer mentor logs out, when a new session begins with a different organization selection, then no cached data from the previous organization session remains accessible

Business Value

Data isolation between organizations is a fundamental GDPR and contractual requirement. Each organization has independent membership lists, activity records, and sensitive health-adjacent data. A breach of isolation — even accidental — could expose personal data to unauthorized parties, trigger regulatory penalties, and destroy trust with the partner organizations. Implementing this at the RLS level provides defense-in-depth: even if client-side logic has a bug, the database enforces isolation.

Components

Tenant Context Service service
Organization Route Guard service
Tenant Session Store data
Secure Storage Adapter infrastructure
Supabase RLS Tenant Scope Configurator infrastructure
Organisation Data Isolation Guard infrastructure

Dependencies

View and Select Active Organization on First Login critical

Organization Selection & Onboarding

Related Feature

Coordinator

User Role