How your data is protected

Your numbers are sensitive, so isolation isn’t a setting you switch on — it’s how Zencount is built. Here’s what protects your data and who can see what.

Per-organization isolation

Every business record is scoped to your organization and protected by row-level security in the database. Even if a query forgot a filter, the database itself refuses to return another organization’s rows — defense in depth, not just a UI check.

This is enforced at the database layer for every read and write — there is no path that reads around it.

Roles

Inside your workspace, access is by role: Owner (everything, incl. billing and deleting the workspace), Admin (manage members and data) and Member (work within the scope they’re given).

Dimension-scoping

A member can be scoped to a specific entity, department or location — and that scope is enforced the same way as org isolation. A location-scoped member’s pickers and totals only ever include their own site; invitees are deny-by-default until granted access.

How you sign in

Sign-in is by magic link or your company’s SSO (Google / Microsoft). Connected-integration credentials are encrypted at rest, and we keep tokens and personal data out of logs.

Honest limit: a few help features are still arriving (e.g. saved “was this helpful?” feedback) — when they land they’ll follow the same isolation and logging rules. See the roadmap notes in each area.

Next steps

Invite your team and assign roles.
Entities and departments & locations define the scopes.