Trust & operations

Choosing a platform to hold your organisation’s content is a question of trust before it is a question of features. You are deciding who guards the door, what happens on a bad day, and whether the people who use your site can actually use it. This section answers those questions plainly, for the people who have to sign off on them.

CTXR earns that trust the same way it does everything else: structurally, not by good intentions. The protections described here are not settings you remember to switch on. They are consequences of how the platform is built, which means they hold even when nobody is watching.

Five ideas run through everything that follows.

Isolation is the architecture. Every space is a hard boundary — its own data, its own domain, its own actors. There is no shared database to leak across tenants and no cross-space query that could ever return someone else’s content.

Authorization is layered. Authentication, permissions, and property protection are independent gates checked at every point where data changes. Defeating one does not get you past the others.

Privacy is built in, then made your responsibility where it has to be. CTXR holds almost no personal data of its own and tracks nobody. Where the law assigns duties to you as the data controller, this section says so clearly rather than implying the platform covers them.

Everything is recoverable. Because content lives as plain files and everything else is derived from it, recovery is usually a command rather than a procedure. Code is in version control; content is backed up; a corrupted index is regenerated, not restored.

The platform is accountable and accessible. Three separate logs record what happened, a health endpoint reports how the system is doing, and the editing interface meets accessibility standards out of the box.

The pages in this section cover each of these in turn:

Table of contents