Data Privacy & Isolation

Every tenant in whoot. operates in a fully isolated environment. Your data — channels, recordings, transcripts, members, and configurations — is invisible to other tenants by design.

Tenant Data Isolation

whoot. is a multi-tenant platform, meaning many organisations share the same infrastructure. However, data isolation between tenants is absolute. This is enforced at multiple levels:

• Database-level isolation — Row-level security (RLS) policies enforce that every database query is scoped to the authenticated user's tenant. Even if application code were to contain a bug, the database would reject cross-tenant data access.
• API-level validation — Every API endpoint validates tenant membership before processing a request. A user can only access resources belonging to tenants they are a member of.
• Audio stream isolation — Voice audio is routed within tenant boundaries. Users in one tenant cannot hear or join channels belonging to another tenant.
• Storage isolation — Recordings and transcripts are stored with tenant-scoped access controls. Files belonging to one tenant cannot be accessed by another.

Row-Level Security

Row-level security (RLS) is the foundation of whoot.'s data isolation model. RLS policies are enforced at the database engine level, not in application code. This means:

• Queries are automatically filtered to only return rows the authenticated user is authorised to see
• INSERT, UPDATE, and DELETE operations are similarly constrained — users cannot modify data outside their tenant
• RLS policies cannot be bypassed by the application layer. Even administrative API endpoints operate within RLS boundaries
• Policies are tested and validated as part of the deployment pipeline

Real-Time Permission Enforcement

Beyond tenant isolation, whoot. enforces granular permissions in real time:

• Permission checks on every request — Every API call verifies the user's role and permissions before executing
• Periodic session validation — The client periodically verifies the user's session is still valid. If a user's membership is revoked by an admin, they are automatically signed out within seconds
• Force logout on revocation — When a user's access is revoked or their session expires, they are immediately disconnected from all voice channels and redirected to the login page

Data Retention Policies

whoot. provides configurable data retention policies so you control exactly how long your data is kept:

When data exceeds its retention period, it is automatically and permanently deleted. This deletion is irreversible — there are no backups or recovery options for expired data.

Tenant Deletion

When a tenant owner deletes their workspace, all associated data is permanently removed:

• All voice channels and their configurations
• All recordings and transcripts
• All member assignments and role definitions
• All billing and subscription data
• All audit logs
• All SSO and MFA configurations

Tenant deletion requires multiple confirmation steps and can only be performed by the tenant owner. The system verifies there are no blocking conditions (such as outstanding invoices or other active members) before proceeding. The deletion event itself is logged for platform-level compliance.

GDPR & Data Subject Rights

whoot. supports the rights of data subjects under GDPR and similar privacy regulations:

• Right to access — Users can view all their personal data stored in whoot. through their account settings and the audit log
• Right to erasure — Account deletion removes all personal data. Tenant deletion removes all organisational data. Retention policies automate deletion of time-sensitive data
• Right to portability — Audit logs can be exported as CSV or JSON for compliance reporting and data portability
• Data minimisation — whoot. only collects data necessary for the service to function: email address, display name, and workspace membership
• Consent management — Cookie consent is requested on first visit and can be withdrawn at any time

Recording & Transcription Consent

When recording or transcription is enabled on a channel, whoot. provides clear notification to all participants:

• A visible recording indicator (red dot) appears in the channel header whenever recording is active
• All participants can see that recording is enabled before they join the channel
• Administrators can only enable recording if they have the appropriate RBAC permission
• Recording access is controlled by permissions — not all users can view or download recordings

Cross-Tenant Security Boundaries

Users who belong to multiple tenants operate under strict boundaries:

• Permissions are resolved per tenant — admin access in one tenant does not grant any access in another
• Session tokens are scoped — API requests are validated against the specific tenant being accessed
• The tenant switcher in the header changes the active context entirely — there is no data bleed between tenants

Next Steps

• Security Architecture — Encryption and transport security
• Authentication Security — MFA, SSO, and session management
• Security & Compliance — Audit logging and compliance frameworks
• Tenant Management — Create and manage workspaces