Skip to main content

Data Isolation & Multi-Tenancy

Every Atticus Health client's data is fully isolated — separate databases per domain, separate data per organization within each database, enforced at every layer from request entry through to the database.

Patient identity operates above the organization boundary — patients own their core record independently and aren't locked to any single organization. A single patient can be connected to multiple organizations through tenant-patient relationships. Clinical and operational data created within an organization (encounters, notes, orders, scheduling) remains fully isolated within that organization's boundary.

Isolation Model

Atticus Health takes a two-level approach to data isolation:

Domain-Level Separation

The platform maintains 8 separate databases, one per business domain (clinical, scheduling, configuration, master data, process automation, personnel, tenant info, and audit). No domain can access another domain's database — cross-domain data flows through APIs and events.

Organization-Level Isolation

Within each domain database, every client organization's data is fully isolated. The database connection is scoped to the current organization, ensuring that queries for one organization cannot return another's data.

How Isolation Is Enforced

Tenant isolation isn't just a database concern — it's enforced at every layer of the request lifecycle:

  1. Request entry — Every request must carry a valid organization identifier. Requests without one are rejected immediately.
  2. Authentication — Each session is bound to a specific organization. A user authenticated for Organization A cannot access Organization B's data.
  3. Background processing — Organization context carries through asynchronous operations (background jobs, event handlers), so isolation holds even outside of direct user requests.
  4. Data access — All queries are scoped to the current organization. The database connection itself is scoped to the organization context.
  5. Events — Domain events published to the message bus carry organization context, ensuring downstream services process data in the correct scope.
  6. Audit — All data access is logged, enabling detection of unusual access activity.

Data Portability

  • Independent export — Each organization's data can be exported without affecting other organizations
  • Standard formats — Clinical data exports in FHIR (Fast Healthcare Interoperability Resources) format; operational data in standard formats
  • Clean offboarding — Complete data deletion workflow with verification and audit trail when a client departs