The 'Organization'

The organization is the basic structural unit for your account at FTE Tree. Within our applications, an organization is considered an individual entity and functional instance of the software. A user may be part of multiple organizations and see limited data from multiple organizations on their dashboard, but information can’t be shared or moved between organizations. If you have a complex organization, our robust tree structure allows for both flexible and secure setups to accommodate your needs.

Organization Owner

The organization owner is the person who sets up the original account. Please contact us if the organization's owner ever needs to be changed or their permissions otherwise limited.

The owner is given full administrative rights and permission to view everything in the organization and can't be edited by any other user in the organization by default. Please contact us with any questions or needed changes to this user.

Users in Your Organization

Within FTE Tree, the individual user account as it relates to the overall organization's account is referred to as the organization user.

The user's permissions with the application are defined as part of the organization and are independent of any other organization within FTE Tree. This provides the flexibility for an organization to have independent, secure accounts with FTE Tree to allow rigid and secure separation of permissions and data while being able to use a single login. This provides flexibility for both your users and your organization in setting up FTE Tree. The chart below describes how User 3 may be a member of both Organization A and Organization B.

multiple organizations per user

While you can see that User 3 has access to both organizations, User 1 and User 2 only have access to Organization A, and User 4 and User 5 only have access to Organization B. At any time, you may remove User 3's permission from Organization A, and they will no longer be able to access any of your data from Organization A. However, they will still be able to access data from Organization B.

Important: Although a user may be part of multiple organizations, there is never any information or data shared between them. The user must switch to the other organization's account. All user permissions are tied to the organization, not the user's account.

After you create an account, your organization's administrators may also limit the active and verified emails to your company's domain name to which FTE Tree can send emails. Furthermore, we also offer the ability to force your organization's users to enable two-factor authentication to further protect your information.

Subdomain-Based Isolation

Each organization in FTE Tree is assigned its own unique subdomain. For example, if your organization is named "Acme Corp," your account would be accessible at a URL like acmecorp.ftetree.com. This subdomain is exclusive to your organization and serves as the entry point for all your users.

This subdomain-based architecture provides several important benefits:

  • Clear identity: Your organization's URL is unique and easily recognizable to your team.
  • Request-level isolation: Every request to your subdomain is validated by our system to ensure it is associated with your organization. Users who are not members of your organization cannot access your subdomain.
  • Session and cookie isolation: Authentication sessions are scoped to your organization's subdomain, preventing session data from being shared across organizations.

When a user belongs to multiple organizations, they select which organization to access and are directed to that organization's subdomain. There is no cross-organization access within a single session.

Data Separation and Security

FTE Tree enforces strict data separation between organizations at multiple levels:

  • Database-level isolation: All data stored in FTE Tree, including departments, positions, employees, approval workflows, and reports, is associated with your organization. Queries to the database are always filtered by organization, ensuring that no data from one organization is ever accessible to another.
  • Permission-level isolation: User permissions are defined entirely within the context of a single organization. A user's roles and access in one organization have no bearing on their access in another. Removing a user from your organization immediately revokes all of their access to your data.
  • Encrypted in transit and at rest: All data transmitted between your browser and FTE Tree is encrypted using HTTPS, enforced across all subdomains. Data stored on our servers, including uploaded files, is also encrypted at rest.
  • Subscription validation: Access to your organization requires a valid, active subscription. If a subscription lapses, access to the organization's data is restricted until the subscription is renewed.

These layers of protection work together to ensure that your organization's data remains private, secure, and completely separate from any other organization using FTE Tree. For more details on authentication features such as multi-factor authentication and single sign-on, see Authentication and Security.