Security
Multi-tenant SaaS is a security claim. Here's ours.
A franchise platform holds many companies' data by definition, so the isolation model is the product. This page describes how Franexis actually enforces it — specifically, not in trust-badge generalities.
Tenant isolation in the database
Every business table carries a tenant identifier protected by PostgreSQL row-level security. A franchise brand's data is invisible to every other tenant at the query layer — isolation isn't an application promise, it's a database policy.
Franchisee-level scoping
Within a network, franchisee membership scopes what each location's users can reach. Field technicians are scoped tighter still: assignment-based access to their own work orders and jobs.
Multi-factor authentication
TOTP-based MFA with hashed recovery codes and administrative reset. Tenants set their own policy — off, required for admins, or required for everyone.
Roles with server-side enforcement
Six built-in roles from platform admin to field technician. The UI uses permissions only as affordances — every mutation re-checks authorization server-side through row-level security and scoped functions.
Hardened API surface
External API access uses scoped bearer keys with per-key rate limiting (proper 429 + Retry-After) and idempotency. Webhooks are HMAC-signed outbound and HMAC-verified inbound; public forms carry captcha protection.
Files and audit trail
Documents, photos, and PDFs live in private storage buckets with path-scoped policies and signed-URL-only access. Administrative and data changes land in an audit log.
The model
Who sees what, exactly
The tenancy model in one pass — this is the structure row-level security enforces on roughly one hundred tables.
- A tenant is a franchise brand; franchisees are locations within it
- Platform admins (the operator) manage tenants — tenants never see each other
- Franchisor roles see across their own network; franchisee roles see their own location
- Field technicians see work assigned to them — nothing else
- Mobile app users authenticate as themselves and pass through the same row-level security as the web
- Data is programmatically yours: documented REST API, webhooks, and exports
Questions
Security review?
Evaluating Franexis for your network and need specifics for a security questionnaire? Contact us — we'd rather answer precise questions than publish vague badges.
Bring your security questionnaire
We'll walk your team through the isolation model, auth, storage, and API security — with the actual policies, not a marketing summary.