Each studio is an island
Harmony is multi-tenant by design: your studio’s data is isolated, access is role-based, and even platform support has to be invited in. Here’s how that actually works — described plainly, with nothing oversold.
Per-studio isolation
Every record — lessons, availability, policy, members, notifications — is scoped to one studio. Queries are filtered by your studio on every request, so one studio can’t see another’s data.
Role-based access
Admins, teachers, and students each see only what their role allows, enforced server-side on every page and action. Teachers manage their own lessons; students act only on their own.
Authenticated sessions
Sign-in is email and password via a dedicated auth library; credentials are stored hashed, never in plain text. Sessions expire after seven days and refresh while you’re active.
Audit trails
Support visits are logged with who and when. Every notification email is recorded to an outbox with its delivery status — so admins can always see what happened.
Notification privacy
People control what reaches their inbox. Each user can opt out of new-lesson, reschedule, and cancellation emails independently.
Least-privilege support
Support can’t wander in. Access requires an explicit, expiring grant you control, and a support session can’t change your support settings to extend itself.
Consent-gated, time-boxed support access
Most SaaS support can quietly read your data. Harmony flips that: a platform administrator can only enter your studio when you grant access, only for as long as you allow, and every visit is recorded where you can see it.
- 1
You grant access
An admin enables support access for a set window — say, seven days. Nothing is open until you do this.
- 2
Support enters — and it’s logged
A support visit is recorded the moment it starts, acting only as your studio’s admin, with a clear support-session banner.
- 3
It auto-revokes
When the window expires or you switch it off, access ends automatically. Support sessions can’t extend their own grant.
- 4
You see everything
Every enter and exit appears in your studio’s audit log, alongside the full email outbox.
Honest about what we do — and don’t — claim
We’d rather describe what the software actually enforces than wave compliance badges. Here’s where things stand.
Data is isolated per studio and access is checked on the server for every request.
Passwords are hashed; we never store them in plain text.
Support access is opt-in, time-boxed, and fully logged.
This is a demonstration app — it does not yet carry formal certifications (e.g. SOC 2), and we don’t claim otherwise.
Found something? Tell us.
We welcome responsible disclosure. If you believe you’ve found a security issue, email us and we’ll work with you to confirm and resolve it.
Run your studio with confidence
Isolation, role-based access, and audited support — from day one.
Start your studio