Workspace Data Isolation & Multi-Tenant Security
Every workspace is an isolated silo — database-level filtering and workspace-scoped encryption keys make cross-tenant access architecturally impossible
Overview
Instafill.ai is a multi-tenant platform: many organizations use it simultaneously, on shared infrastructure. The central security question for any multi-tenant system is: can Organization A ever see Organization B's data? The answer for Instafill is no — not through a bug, not through misconfiguration, not by Instafill staff — and this page explains how that isolation is enforced at every layer.
Isolation is implemented at two independent levels that must both be bypassed simultaneously for any cross-tenant access to occur:
Database-level: Every query against every collection includes a
workspaceIdfilter. A session, form, profile, or source file can only be retrieved if the requesting user'sworkspaceIdmatches the record'sworkspaceId.Cryptographic level: Every workspace's data is encrypted with a unique set of keys stored in Azure Key Vault, scoped to that workspace. Even if a database query somehow returned the wrong records, the data would be encrypted with the wrong key and unreadable.
How Database-Level Isolation Works
Authentication Middleware Extracts Workspace Identity
Every API request to Instafill is authenticated before any business logic runs. The authentication layer:
- Validates the JWT token (signature, expiry, audience claim)
- Identifies the user and their active workspace
- Attaches the workspace ID to the request context for all downstream operations
There is no path to the filling pipeline, form retrieval, or session access that bypasses this step.
Every Query Filters by Workspace
Once the workspace ID is established for a request, it is injected into every database query. A session, form, profile, or source file can only be retrieved when the database query explicitly matches both the record ID and the requesting workspace's ID — a record belonging to Workspace B cannot be returned in response to a Workspace A request, even if the record IDs happen to match.
This filtering applies to every data type: sessions, forms, profiles, batch jobs, and source files. No query retrieves records without a workspace scope.
What This Means in Practice
- A user in Workspace A cannot access sessions created in Workspace B, even with knowledge of the session ID
- Form templates are workspace-scoped — a form uploaded in one workspace does not appear in another
- Profiles, source documents, and batch jobs are all workspace-isolated
- API keys are workspace-scoped — an API key from one workspace cannot access another workspace's data
How Cryptographic Isolation Works
Workspace-Scoped Encryption Keys
Each workspace has its own set of AES-256 encryption keys, stored in Azure Key Vault under a key name derived from the workspace ID. Key management:
- Generates a set of 5 AES-256 keys (32 random bytes each) per workspace
- Stores them in Azure Key Vault scoped to that workspace's secret name
- Uses random key selection from the set for each encryption operation (key rotation)
- Stores the key index alongside the ciphertext so the correct key is used for decryption
When source text or file data is encrypted, the workspace ID is included in the encryption scope metadata — the ciphertext can only be decrypted in the context of the originating workspace.
What Azure Stores
Azure Key Vault stores encrypted key material — the keys themselves are encrypted using a root cache encryption key before being stored. Azure Blob Storage stores encrypted file data — AES-256 encrypted before upload, with the encryption keys held in Key Vault. Azure itself cannot decrypt either the keys or the file data without Instafill's application logic.
Encryption in the Filling Pipeline
When autofill runs, source text is decrypted in memory immediately before being passed to the AI provider. The decrypted text exists only in the application's working memory for the duration of that operation — it is not logged, not written to disk in decrypted form, and not accessible to other requests. After the AI call completes and field values are stored, the in-memory decrypted text is no longer referenced.
File Storage Isolation
Files stored in Azure Blob Storage are organized under a path structure that includes user and session identifiers:
filled-pdf/{user_id}/{session_id}/{filename}
There is no shared blob namespace where one workspace's files could be accessed by another. SAS (Shared Access Signature) tokens generated for file access are scoped to specific blob paths and time windows — they cannot be used to enumerate or access other users' files.
Workspace Roles and Internal Access Control
Within a workspace, access is further controlled by roles:
| Role | Forms | Sessions | Sources | Settings |
|---|---|---|---|---|
| Owner | Full access | Full access | Full access | Full access |
| Admin | Full access | Full access | Full access | Most settings |
| Member | Fill & view | Own sessions | Upload | None |
| Viewer | View only | View only | None | None |
Role enforcement happens at the API endpoint level in addition to workspace-level isolation. A Member cannot access Owner-only endpoints even within the same workspace.
Organization-Level Policy Enforcement
Organizations contain one or more workspaces. Organization-level security policies apply across all workspaces in the organization:
- 2FA enforcement: Org admins can require all members to have 2FA enabled before accessing any workspace
- IP restrictions: Org-level IP allowlist/blocklist policies applied at login
- Session timeout: Organization-configurable maximum session duration
- SSO enforcement: Organizations using SSO can prevent password-based login for all members
These policies are enforced at authentication time and cannot be bypassed by workspace-level settings.
What Instafill Staff Can Access
Instafill's engineering and support staff have administrative database access for infrastructure operations and support purposes. This access is:
- Logged and auditable — all administrative database access is logged
- Scoped to operational necessity — support staff do not routinely access customer data
- Protected by the same encryption — even with database access, encrypted field values and files require the workspace's encryption keys to be readable
For healthcare and legal customers with strict PHI/attorney-client privilege requirements, Instafill can discuss contractual access restrictions and audit log delivery. Contact sales.
Security & Privacy
- Defense in depth: Database filtering and cryptographic isolation are independent controls — both must fail simultaneously for cross-tenant access to be possible
- No shared encryption keys: Workspace A's encryption key set is never used to encrypt Workspace B's data, regardless of which server processes the request
- Isolation at query time, not application time: The workspace filter is applied at the database query level, not as an application-layer filter that could be bypassed by a code bug — MongoDB returns only workspace-scoped records
- Audit trails: All access to sessions, forms, and sources is logged with workspace and user identifiers, supporting forensic review if needed
Common Questions
Can Instafill employees read my documents?
With direct database access, Instafill staff can see encrypted records — field values and source text stored as ciphertext. Decrypting those records requires the workspace's encryption keys from Azure Key Vault, which is a separate system with its own access controls and audit logging.
In normal operations, support staff do not access customer data without explicit permission from the customer. For regulated industries requiring contractual limitations on staff access, this can be addressed in a BAA or DPA.
What happens if there's a bug in the workspace filter?
The cryptographic layer provides defense in depth for exactly this scenario. If a query somehow returned records from the wrong workspace, those records would be encrypted with the wrong workspace's key. The application would attempt decryption with the requesting workspace's key and fail — the data would be unreadable garbage.
The likelihood of both the database filter and the cryptographic isolation failing simultaneously is extremely low. The systems are independent and failure modes do not compound.
Are workspaces within the same organization isolated from each other?
Yes. Each workspace has its own workspaceId and its own encryption key set, regardless of whether workspaces belong to the same organization. An Admin of Workspace A within an organization cannot access the forms, sessions, or sources of Workspace B in the same organization unless they are also a member of Workspace B.
The organization layer controls policies (2FA, IP restrictions, SSO) but does not grant cross-workspace data access.
What is the scope of API key access?
API keys are workspace-scoped. An API key generated in Workspace A can only access Workspace A's data — sessions, forms, profiles, and batch jobs. The key cannot be used to query other workspaces, even within the same organization.
See API Key Management for full detail on key creation, rotation, and revocation.