A workspace per entity, isolated by design
Each entity runs in its own workspace with dedicated per-tenant data isolation and workspace-scoped login — including workspace-scoped password reset, so an account in one entity is not a key to another.
For holding companies & groups
A separate workspace per entity with dedicated data isolation, the same permission matrix applied consistently across all of them, and an append-only audit log that can be verified rather than believed.
The reality
How CareIT Business OS fits
Each entity runs in its own workspace with dedicated per-tenant data isolation and workspace-scoped login — including workspace-scoped password reset, so an account in one entity is not a key to another.
Roles are built from a permission matrix of module against view and manage, so the same standard of access is expressed the same way in every entity instead of being reinvented per subsidiary.
The audit log is append-only and chained with SHA-256, and a verification command re-walks the chain. Group audit gets a checked result rather than an assurance.
Finance cockpit, accounting journal, reports and the print-optimised board pack, and analytics are the same modules in each workspace — so consolidating means comparing like with like.
Settings are addressable per section, the role matrix is reusable, and the REST API v1 (Bearer tokens, a required Idempotency-Key on writes) lets a new workspace be provisioned and fed programmatically.
We will walk workspace isolation, the role matrix, and audit-log verification across entities.