Client Separation at Atlatos
The Atlatos GmbH offers its SaaS platform for business travel and expense management with multi-tenant capability.
In this context, the secure separation of data between different customer companies (tenants) is of central importance – both in terms of data protection (Art. 32 GDPR) and security standards such as ISO/IEC 27001.
This report describes the technical and organizational measures by which Atlatos implements and secures tenant separation within the platform.
1. Type of Tenant Separation
Tenant separation at Atlatos is implemented logically at the software level. Unlike completely separate database instances, the tenant model is based on a central system architecture with a shared database structure, in which each customer organization is managed as an independent logical unit.
No physical database separation
No separate database instances are operated per customer.
All tenants exist within a centrally managed database system.
Credit card data is managed separately.
Logical isolation through application architecture
The application logic enforces tenant contexts, ensuring that all data queries, processing, and storage occur exclusively within the tenant’s own scope.
2. Safeguards for Logical Separation
The consistent logical separation is based on a multi-layered set of measures:
a) Programming guidelines & code standards
Every data query in the code is bound to the context of the logged-in tenant.
Cross-tenant access is not technically provided for and is actively prevented (exception: tenants with sub-tenants or subsidiaries that can be jointly administered).
Strict internal development guidelines for data isolation apply.
b) Automated tests
The build and test pipeline includes automated test scenarios specifically checking tenant isolation.
Negative tests ensure that data from other tenants cannot be loaded, modified, or displayed.
c) Release processes and code reviews
Before each deployment release, a four-eyes principle is applied, reviewing relevant modules.
Highly security-relevant changes undergo extended review by a senior team.
d) External audits & selective code inspections
Independent auditors perform random code reviews and process inspections.
Atlatos follows the BSI baseline protection and ISO 27001 requirements.
3. Protection Against Logical Errors and Unauthorized Access
In addition to software-based separation, the system is designed so that no data leaks between tenants can occur – even in the event of misconfiguration or misuse:
Session and token management: Every interaction with the platform takes place in an authenticated, tenant-specific context.
Rights and role system: Access to tenant data is based strictly on the “need-to-know” principle.
Access logging: All access is audit-proof logged and can be fully traced in case of an incident.
4. Assessment & Conclusion
Although Atlatos does not operate physically separate databases per tenant, the company ensures full logical separation of data through a strict, multi-level protection concept.
The combination of:
Tenant context throughout the data model
Automated test coverage
Strict development and review processes
Independent external audits
…ensures a high level of confidentiality and security for all customer tenants – in compliance with GDPR, ISO 27001, and BSI baseline protection.
Note:
Tenant separation forms the foundation for the multi-tenant capability of the Atlatos platform. Further information on the organizational structure within a customer tenant (e.g., subsidiaries) can be found in the separate multi-tenancy report.
Comments
0 comments
Article is closed for comments.