Skip to content
VaultTerm
Browse docs

Get Started

Credential Vault

Terminal & SSH

Teams & Organizations

Browser Extension

Privacy-First AI

Self-Hosting

Administration

Configuration Reference

Security & Architecture

API & Integrations

Troubleshooting & FAQ

teams-organizations

Organizations and tenancy

An organization is the tenant — the isolation and billing boundary — and every query is scoped to it by Postgres row-level security keyed on org_id.

Updated Jun 23, 2026

In VaultTerm an organization is the tenant. It is the unit that owns vaults, users, teams, and audit history, and it is the boundary that billing and isolation are drawn around. Everything a user can see or do is scoped to the org they belong to.

The isolation boundary

Tenant isolation is enforced in the database, not just in application code. Every row that belongs to a tenant carries an org_id, and Postgres row-level security (RLS) policies, keyed on that org_id, restrict every query to the caller’s org. The application sets the active tenant for the connection before running a query, so a query that forgets to filter by org still returns nothing from another tenant — the policy fails closed rather than leaking. For the full mechanism, see Tenant isolation.

This is the foundation of the platform’s security posture: the broker can decrypt a secret in memory for an authorized action, but it can only ever do so for resources within the caller’s own org.

How users land in an org

  • Individual email signups get their own org. A person who signs up for the free tier is an org-of-one, isolated like any tenant.
  • A shared Default org historically co-tenanted accounts that predate per-account isolation. This existed only to keep early accounts working; new individual signups land in their own org, not the Default one.
  • Enterprise users are provisioned into their organization through SSO or SCIM — see SSO and SCIM.

Creating a dedicated org from an existing personal account is supported only for fresh accounts: the caller must be in the default or a personal org and own no vaults, because cross-org data migration is not supported.

Org roles

The organization has three roles, distinct from the vault and team roles:

Org roleScope
ownerFull control of the organization, including its members and settings
adminManage members and org configuration
memberA regular user of the org

Org owner and admin are the roles that administer the tenant itself — inviting members, configuring identity, and managing billing. See Roles and permissions for how these relate to the vault and team roles.

Offboarding

Because every resource is scoped to the org, offboarding is a single step: removing a user from the organization removes their access everywhere within it at once — every team they were in, every vault shared with them, every session they could broker. There is no per-resource cleanup to chase, and the removal lands in the tamper-evident audit trail like any other privileged action.

Where to go next

All docs · Ask a question