Multi-tenancy: Organizations, Teams, and Users
Hexcovery is multi-tenant by design. Your data is yours, isolated from every other customer, and stays in the EU. This page explains the account model and how that isolation works.
The account hierarchy
Organization (= your tenant — owns all data, API keys, and billing)
└── Teams (optional groups of users, for sharing dashboards & permissions)
└── Users (individual accounts — email/password + optional 2FA)
Organization — the tenant
Your Organization is your tenant. It is the boundary that owns everything: all metrics, logs, and traces; all API keys; and all billing. There is one Organization per tenant, and every other concept below lives inside it.
Teams
Teams are optional groupings of users within an Organization — for example "Platform" or "SRE". They exist to make sharing and permissions convenient: dashboards and access can be scoped to a Team rather than handed out user by user. A user can belong to one or more Teams, or none.
Users and roles
Users are individual accounts. A user belongs to exactly one Organization, optionally to Teams, and carries a role that determines what they can do:
| Role | What it can do |
|---|---|
| Viewer | Read dashboards, run queries, view saved queries |
| Editor | Everything a viewer can, plus create/edit dashboards, save queries, manage their own account |
| Admin | Everything an editor can, plus manage users, Teams, organization settings, and API keys |
Permissions, not role names
Roles are defined by the permissions they carry, not by their name — so custom roles can be added without changing the product. What a user can do is always decided by their permissions.
How isolation works
Multi-tenancy isn't just an account label — it's enforced everywhere data flows:
- Ingest — your agent and your OpenTelemetry clients authenticate with a tenant-scoped API key, so incoming telemetry is tagged with your tenant the moment it arrives.
- Storage — every datapoint is tagged with your tenant, and the storage layer is partitioned so each tenant's data lives apart.
- Query — every query carries a mandatory tenant filter; OQL injects it automatically. You can never query another tenant's data — and no one can query yours.
- Billing — usage is metered per tenant (bytes ingested), which is what your bill is based on.
Unlimited users
Billing is on data ingested, not on seats. Invite your whole team — adding users and Teams doesn't change your bill.
Data residency
Your data is stored and processed in the European Union. This is a deliberate, structural choice — not a configuration toggle — so that European customers avoid CLOUD Act exposure.
Where to go next
- Manage your organization, users, and API keys.
- Core concepts overview — how Entities and Projects fit on top of your tenant.
- Back to the documentation home.