Identity based authentication and authorization with granular access control lists to sections of data all the way down to the container and object level.
The availability of groups, sub-groups, and roles with ACL rights supported for them as well further strengthens the possibility to create a secure design.
All data is stored within the EU by local CSP for real GDPR compliance.
Private and shared data are separated into different databases, where the tenant does not have access into identities databases and are thereby not able to harvest its data. This is privacy by design.
Every identity has a private database and access to the shared tenant database. Further the identity may have access to additional groups and their related databases.
Each access is authenticated and requires authorization at the API level, which is automatically managed by the SDK. Access Control List (ACL) always defines what access is permitted for data access.
Data is encrypted both at rest and in motion. Additionally client-side encryption may be used to protect data within the encrypted communication tunnels.