Watch Taking a Sledgehammer to Bottlenecks 🎥 as Ruth & Steph show how AI actually fixes margins.

Access Control

Identity and access control

GoSmarter uses Microsoft Entra External ID for all authentication. People sign in through GoSmarter’s own identity tenant. We don’t store passwords.

How people authenticate

  • Sign in via Microsoft Entra External ID: GoSmarter’s customer identity platform
  • Supported sign-in methods: organisational Entra ID account, personal Microsoft account, or email one-time passcode
  • When people use their Entra ID, any Multi Factor Authentication (MFA) and password policies from their home tenant apply
  • Session tokens are stored in the browser’s sessionStorage (cleared when the tab closes), not in localStorage or cookies

How we keep data from companies separate

Every API request is scoped to a specific company. The system enforces this at multiple levels:

  1. URL-level scoping: All customer API routes include a company identifier in the URL path
  2. User membership validation: The API validates that the authenticated user has been granted access to the target company
  3. Data query enforcement: All database queries are automatically filtered by the company identifier, ensuring users can only access data belonging to their company
  4. Request rejection: If a user attempts to access a company they don’t belong to, the API rejects the request with a 403 Forbidden response

This means a user in Company A cannot access Company B’s data, even if they have a valid authentication token.

Data is logically separated by company, and access is strictly controlled through Entra ID. This ensures strong tenant isolation on every API request.

How our systems talk to each other securely

Within our internal systems, every component has it’s own unique identity that it uses to connect to other components. Every componenent it given explicit permissions on wwhat it can do for each component it needs to touch. This means we apply a principle of least privilege and reduce the risk of API keys or passwords being breached and making parts of the system accessible.

For details on how managed identity is used in AI services specifically, see AI Security.

Administrative access

  • Database: Administrative access uses Entra ID security groups and is restricted to authorised team members only. No database credentials are stored in code or configuration.
  • CI/CD: Deployment pipelines use short-lived identity tokens. No long-lived deployment secrets are stored.

Key points for your security team

  • No GoSmarter passwords: Authentication is handled by Microsoft Entra External ID. Users can sign in with an organisational Entra ID account, personal Microsoft account, or email one-time passcode.
  • MFA support: Can be enforced by you
  • Tenant isolation enforced on every request: Company GUID validated against user group claims on every API call
  • Managed identity throughout: No static API keys or connection strings in application code
  • RBAC least-privilege: Each service identity has only the permissions it needs
  • Short-lived deployment tokens: No long-lived deployment secrets are stored

Request evidence

Email us, contact us online, or book a compliance call.