How it works
- Tenant isolation enforced in the database — every record carries a tenant marker, and the database itself filters reads and writes against the calling session's tenant. There is no application-level "forgot the WHERE clause" failure mode
- Tiered access — records carry a sensitivity tier; lower-tier sessions cannot see higher-tier records, even within the same tenant. Tier change requires an explicit administrative action
- Identity via Keycloak SSO — single sign-on with role-based access; user attributes resolved per request
- Audit log on every write — every create, edit, and delete is logged with who, what, when, and from where
- Audit log on sensitive reads — landowner records (tier-A and tier-B in our sensitivity classification) and tenant-owned work product (reports, interventions, reaches) are logged per-row. Public-tier reads (e.g. broadly-public OGL data, parcel boundaries) are not logged, by policy. Both write- and read-side logs are the substrate for Subject Access Request fulfilment and incident-response forensics
- API access — separately authenticated, separately audited, same tier and tenant enforcement
- Encryption in transit — TLS 1.3 across all customer-facing endpoints
- Encryption at rest — server-side disk encryption; database backups age-encrypted before leaving the host
Multi-user with permission levels
Inside your tenancy, you control who sees what. The permission model is built for the way consultancies, conservation organisations, and partnerships actually work — different roles see different slices of the same map, at the right time, in the right context.
Share hero images and curated data with your client
For promotion and engagement, share the visuals that tell the story — site photos, hero images, public progress narratives. Clients see the polished surface; the underlying data stays where it belongs.
Share detailed data selectively, at the right time
As the engagement matures, expose detailed layers to specific client users where it adds value — at the right time, in the right context, without surfacing everything by default.
Full access for you and your team
As operator or consultant, you have full access to the raw data underneath. Team members move through it quickly, with no tripping over the wrong data, no worrying about whether something is fresh, no chasing versions across email threads or shared drives. One source of truth.
Text, image, sound, video — all captured on the platform
Site visits produce more than spreadsheets. Photos, voice notes, drone footage, recordings of community workshops, design sketches — all can be captured against the relevant parcel, project, or partnership, and surfaced through the same permission model.
Standards alignment
Ecology App's security controls are designed to align with the principles of ISO 27001:2022 (Information Security Management) and assessed against OWASP ASVS Level 2. Ecology App is not yet certified to these standards. We do run the integrated management system — the procedures, management reviews, and internal audits — that certification would require. We'll pursue formal certification once revenue justifies the audit cost.
Security review
Internal audit cycle on a rolling cadence — automated scans (Trivy, Semgrep, ZAP), code review, and quarterly tabletop. External pentest scheduled on the same cadence. Findings are tracked within the project's audit programme.