TellWang
Dashboard
Core concepts / Tenancy & isolation

Tenancy & isolation

Every team's Wok is its own private setup. Your data is isolated from every other tenant from the moment the Wok is provisioned — at the database layer, at the docker-network layer, and at the cp's authorization layer.

Your own database (shipped)

Each Wok gets its own Postgres instance in its own container, with its own credentials — not a shared table with a "company id" column you have to trust. A bug in someone else's app simply can't reach your data, because it's a different database.

Each Wok also runs on its own private network, so no other team's services can reach yours — even when they share a host. Inbound requests are routed to your Wok by hostname, and no other tenant ever sees it.

Authorization boundary (shipped)

Every request that touches a Wok is authorized server-side against the team that owns it. If it comes from another team, the response is a 404 with no leak (not a 403 — the Wok's very existence isn't revealed). A leaked key from one company can never operate on another company's Wok, even with a correctly-guessed Wok ID.

We re-test this on every release: two Woks deliberately try to overhear each other's realtime channels, and if they ever can, the release is blocked.

Isolation tiers

Today every Wok runs on the Standard tier — your own database and services in their own containers, bin-packed onto shared bare-metal, with strong database-, network-, and authorization-level isolation. Stronger tiers (Dedicated host, Confidential, and hardware attestation) are on the roadmap for teams that need physical separation or a guarantee that even we can't read their running memory. See the isolation tiers page for what each one adds and what's shipped versus planned.

Built to survive failures (shipped)

Your Wok is backed up daily to separate storage, so if a host or its disk dies, your Wok comes back from yesterday's copy. And we don't just promise it — every day we restore a Wok onto a spare machine and check the data survived.

Continuous-WAL PITR is roadmap; today's RPO is up to 24 hours. Region: single-region (ca-central-1) today; multi-region is Phase-7.