Multi-tenant
Belong to more than one board. Switch organizations without re-logging in, accept pending invitations, spin up a new org from the same dropdown, and rely on strict isolation between them.
A single email address can hold membership in any number of BoardHerald organizations — there's no soft cap, no per-account quota, no “primary tenant” you have to leave to visit another. We built this for the way modern operators actually work — five profiles in particular:
Two startups, a holding company, and a side project each get their own isolated boardroom and roll up under one sign-in. No browser-profile juggling, no separate passwords, no risk of pasting the wrong update into the wrong company.
One operator orchestrating a portfolio of companies where most of the heavy lifting is done by AI agents reporting through MCP. Each company is its own tenant; the founder switches between them the way a CEO walks between conference rooms.
Sweep across every company you've backed without losing context. Each portfolio company invites you as an OBSERVER into its own tenant — updates, KPIs, resolutions, meeting notes all visible, all isolated from each other.
Sit on four boards, run your own venture, plus a fund on the side — every one of those memberships is a separate tenant with its own role. An admin badge at your own company stays there; an observer seat on a portfolio company stays there.
Fractional CFOs, corporate counsel, board secretaries, deal partners — people who serve many boards at once. Each client invites you as a MEMBER or ADMIN into their own tenant. You move between clients in one click; no client ever sees another's data, and your own sign-in history lives in the audit log of the tenant you touched.
BoardHerald calls these separate organizations (or tenants) and keeps each one completely isolated from the others, while giving you a one-click path to move between the ones you have access to.
The organization switcher
In the admin sidebar, the tenant name + logo at the top doubles as a dropdown. Clicking it opens a small menu with every organization your email has access to, a search field for when the list gets long, and a + Create new organization row at the bottom.
- The organization you're currently viewing is marked with a gold check.
- An organization you haven't accepted an invitation for yet shows a pending badge. Clicking it asks you to confirm — accepting both activates your membership and switches you into it in one step.
- An archived organization, or one whose subscription has been flagged, appears greyed out and isn't clickable. Resolving the state has to happen on that tenant's own billing or admin screens first.
- Clicking an active organization drops you directly onto its dashboard, signed in, on the right hostname — the organization's custom domain if it has one, or the shared platform host
app.boardherald.comotherwise. Your sign-in cookie replaces the previous one on the landing host, so the switch is immediate.
Switching happens securely
Every click on the switcher goes through a server-side re-validation — BoardHerald checks that your email really does have an active (or invited) membership in the target organization, and that the target organization itself isn't archived or billing-blocked, before letting you in. The browser is handed a one-shot, cryptographically signed handoff that's valid for only a few seconds and can be used exactly once; a handoff URL captured from browser history or a share sheet is useless on the second attempt.
When the target organization has its own custom domain, the handoff is additionally bound to that hostname — a handoff minted for organization A can't be redeemed at organization B's custom domain. For organizations without a custom domain (which share the platform host), that extra check is replaced by the cryptographic signature, the one-shot nonce, and the session cookie scope — any of which alone is enough to keep a handoff from being reused or redirected at the wrong tenant.
When you switch, the session you were previously holding on the source organization is actively revoked. That means signing out after a switch, or closing the tab and returning via a bookmark, doesn't leave a still-valid session sitting on the old domain. Leave a shared computer mid-switch and the old tenant is locked out, not just hidden.
If you're an advisor across several boards, you don't want a “log out” on the active board to leave you quietly still logged in on the other three. BoardHerald's revocation step closes that gap.
Isolation between organizations
Organizations in BoardHerald are independent silos. A member in organization A can't see anything from organization B — not a member list, not an update title, not a meeting date, not the existence of a KPI, and not the fact that the other organization exists. See Security for how this is enforced at the storage and query layer rather than only in the UI.
This isolation is the reason the switcher never surfaces an organization you don't belong to. Behind the scenes, the “which orgs can I switch to?” list is computed only from organizations that already hold a membership row for your email. An attacker who guesses an organization's slug or name can't coerce the switcher into leaking its existence, let alone its content.
Roles work per organization
Your role is scoped to the organization you're viewing. A founder running several ventures is typically an admin in each of their own companies; an investor or advisor invited into a portfolio company is usually an observer or member there. Each role determines what you can see and do only inside that tenant. Switching organizations re-resolves your role from scratch for the destination; an admin badge in one tenant doesn't carry any authority into another.
The full role reference lives on Permissions. The short version: each tenant maintains its own set of members, its own role assignments, its own access groups (FINANCE, INVESTOR), and its own audit log.
Accepting a pending invitation
When an admin invites you to a new organization, the invitation shows up in your switcher the next time you open it, tagged pending. Clicking it asks for a brief confirmation — “Accept invite and switch?” — because accepting an invitation is a meaningful action that logs an audit entry. On confirm, your membership flips to active and you're signed in on the new tenant in the same motion. No separate invitation email link to click.
If you'd rather ignore the invitation, just don't click it. Nothing happens on the target tenant until you confirm.
Creating a new organization
The + Create new organization row at the bottom of the dropdown opens a short form: a name and a slug (the slug is auto-suggested from the name and becomes the default subdomain). While you type, the slug field shows a live check so you see immediately whether your chosen slug is available.
On submit, BoardHerald creates the organization, makes you its first admin, seeds a default branding, and signs you straight into it. No extra verification — the sign-in you already have on your current organization is enough to prove the email, and the new tenant inherits that trust.
A brand-new organization starts on the Starter plan with a free trial — same terms as a fresh signup. You can invite members, publish updates, run meetings, and connect agents from day one; the trial gives you time to decide whether to stay on Starter or move up. Higher tiers unlock custom domains, white-label branding, advanced KPI sync, and higher usage limits. See Custom domains and the Billing tab inside the new tenant for current pricing and the trial countdown.
Create-organization requests are rate-limited per user to stop accidental loops and scripted abuse; under normal usage you'll never hit the limit.
What the audit log sees
Every tenant switch and every new-organization creation writes an entry to the destination tenant's Audit log. Accepting a pending invitation writes a separate entry. An admin reviewing their tenant's audit log can always answer “when did this member join?” and “when did they last switch in?” — no cross-tenant leakage either direction.
Signing out
The Sign out button in the admin chrome ends the session on the current organization only. If you were in multiple tenants earlier in the day and want to walk away clean, use the switcher to move into each tenant and sign out there — each sign-out is revoked at the server and can't be replayed by a stale cookie that got cached somewhere. (A platform-wide “sign out of everything” affordance is on the roadmap.)