Tenants

A tenant is an Operayde customer. It is the boundary for identity, billing, policy, and audit. Every appliance, every virtual key, and every audit event belongs to exactly one tenant.

Identifiers

Tenant IDs are 3–32 lowercase hyphenated strings (acme, northwind-legal). They’re visible in URLs because they’re not secrets; secrets go into virtual keys.

Isolation

The appliance isolates tenants at several layers:

• Storage. Documents and vector indexes are in a per-tenant subtree with per-tenant encryption keys.
• Inference. Runs ephemerally per-request; no cross-request state leaks between tenants.
• Audit. Each tenant has its own Merkle tree per day, signed by the appliance identity key.

On a single appliance there is typically one tenant, but multi-tenant appliances are supported for managed service providers.

Regional pinning

A tenant is created in a region (EU or UAE) and cannot be moved. Choose at signup. If you need both, we run one tenant per region.

Deleting a tenant

This is a destructive operation — all keys revoke, all appliances suspend, all audit bodies are erased from the appliance-side store after a 30-day grace period. Audit heads stay in the central plane for the statutory retention period; we cannot shorten it for you.