FAOS enforces company-level data isolation on the server side. All requests are evaluated against the authenticated session context. Clients cannot select, inject, or impersonate another company through parameters or crafted requests.
Access control decisions are performed on the server. Company identifiers are derived from authenticated sessions, not from client-supplied values. This prevents cross-company data exposure.
Critical operational actions, including exports and configuration changes, are recorded to support traceability and internal review.
This section describes access isolation and auditability controls within FAOS. It does not constitute statutory compliance, tax filing, cybersecurity certification, or external audit opinion.
Related references: Operational Controls · Risk Controls · Audit Logs