Tenant Segmentation in Nuclei – Nuclei, Inc.

Overview

Nuclei is built as a multi-tenant SaaS platform. Within Nuclei, a tenant maps to a customer account or organization. Tenant segmentation means each customer's users, source connections, archives, identities, events, media, and policy settings remain associated with that tenant context throughout ingestion, storage, processing, and retrieval.

This approach follows the same core principle described in AWS guidance for multi-tenant SaaS applications: tenant isolation must be enforced with explicit tenant-aware controls, not only with basic authentication.

Supported Features

Nuclei supports the following tenant segmentation capabilities:

Account-level tenant boundaries for customer organizations
Tenant-scoped users, sessions, permissions, and login methods
Tenant-scoped source connections, archive destinations, and authorizations
Tenant-scoped identities, events, media, transcripts, and analysis outputs
Tenant-aware background processing for capture, indexing, transcription, analysis, and export workflows
Administrative controls for support impersonation

Scope

This article describes logical tenant segmentation within the shared Nuclei platform.

It does not describe contractual deployment topology, data residency commitments, or customer-specific dedicated infrastructure arrangements.

Tenant Boundary

Within Nuclei, the primary segmentation boundary is the customer account. Users, data sources, archives, identities, policies, and event records are all associated with that account context and are retrieved using that same context.

External System Boundaries

Some integrated systems have their own tenant model, such as Microsoft 365 tenant IDs or Okta tenant domains. Nuclei stores those upstream identifiers as part of the customer's configuration so the platform authenticates against the correct external tenant while keeping the resulting data inside the customer's Nuclei tenant boundary.

How Tenant Segmentation Works

Tenant-Scoped Identity and Access

When a user signs in or an administrator authorizes a source connection, Nuclei establishes the tenant context for that request or session. Access decisions are then evaluated within that tenant so users operate inside their own organization's scope instead of a shared global namespace.

Tenant-Scoped Configuration

Source connections, archive destinations, authorizations, and related policies are created inside a single tenant context. This prevents a configuration created for one tenant from being reused by another tenant unless there is an explicit partner-managed relationship.

Tenant-Scoped Data Partitioning

Captured events, media, transcripts, identities, and derived analysis records are stored and queried with tenant context. In practice, Nuclei carries tenant context through reads, writes, object storage paths, and workflow orchestration so requests resolve only to resources that belong to the active tenant.

Tenant-Aware Background Processing

Asynchronous workflows such as capture, transcription, indexing, archiving, exports, and AI analysis preserve tenant context as jobs move through the platform. This allows Nuclei to scale shared services across many customers while continuing to process only the correct tenant's data set in each workflow.

Support Access Controls

Support access is governed separately from normal tenant access. Where support impersonation is used for troubleshooting, it is controlled at the account level so customer administrators can manage whether that access is allowed.

AWS Well-Architected Alignment

AWS guidance for multi-tenant architectures emphasizes that isolation must be applied with tenant context, especially when infrastructure is shared. Nuclei's segmentation approach aligns with that principle in several ways:

Security: Tenant context is applied to resource access, connector credentials, stored content, and configuration objects to reduce the risk of cross-tenant access.
Operational Excellence: Tenant-aware workflows make it easier to trace activity and manage operations at the customer-account level.
Reliability: Tenant context is preserved across asynchronous processing so services can scale without losing the customer boundary.
Performance and Cost Efficiency: Shared platform services can be operated efficiently while customer data and configuration remain logically segmented.

AWS also describes trade-offs between silo, bridge, and pool-style tenancy models. Nuclei applies strong logical segmentation controls across shared services, with customer-specific credentials and configuration attached to each tenant boundary.

Practical Implications

The following behavior applies to tenant segmentation in Nuclei:

A user in one tenant does not browse or query another tenant's data sources, events, archives, or identities during normal platform use
A source connection authorized for one tenant remains bound to that tenant's configuration and upstream credentials
Exports, archives, and AI workflows execute within the tenant context of the source data
Customer administrators manage account-scoped settings such as login methods, SSO configuration, permissions, and support access controls

More Information

For more information about tenant segmentation, partner-managed account structures, or customer-specific deployment requirements, please contact Nuclei Support.

References