Export Data Leak Audit
Find whether CSV exports, PDF reports, signed download links, and background jobs can expose another customer's data.
Agnite tests export workflows with baseline and mutated tenant context, then delivers request-level evidence your engineering team can reproduce.
Why export leaks are different
Export leaks are dangerous because they move bulk data outside the app, usually through a separate query, renderer, queue, or download path, and the file is harder to revoke once it has been downloaded or forwarded.
Bulk data exposure
Exports often contain more records than a normal screen or API response, so one bad query can leak a larger slice of customer data.
Separate execution path
CSV, PDF, and report jobs often use different queries than the UI, which means the visible table can look safe while the artifact is not.
Delayed worker context
Tenant scope can disappear after a job enters a queue, especially if the worker reconstructs the export with stale or missing context.
Harder containment
Once a file is downloaded or emailed, the leak is harder to detect, revoke, or clean up across customer systems.
A table can look correct while the export query, worker job, or signed download path reaches beyond the active tenant.
Boundary checks that match the scope buyers asked for
The audit follows the export from request to generated file, because leaks often appear after the original API response already looked safe.
CSV exports
Checks whether exported rows match the active tenant, selected filters, and allowed role scope.
PDF reports
Finds reports that use broader datasets than the UI table or API response.
Signed URLs and downloads
Tests whether download links can be reused across users, tenants, or expired sessions.
Background export jobs
Checks whether tenant context survives after the export request enters a queue.
Wrong tenant records
Compares exported artifacts against baseline tenant data.
Report filters and date ranges
Verifies that filters do not widen scope beyond the active tenant.
Common failure patterns
These are the recurring ways export workflows drift outside the active tenant.
Export query misses tenant_id filter
The report query forgets to scope results to the active tenant before the file is generated.
Worker job receives report_id without tenant context
The queue message carries the report identifier but loses the tenant boundary needed to rebuild it safely.
Signed URL is valid but not tenant bound
The download token works, but it can be replayed by a user outside the intended tenant.
PDF renderer uses admin level dataset
The PDF path renders from a broader dataset than the standard user can see in the UI.
Download endpoint checks file id but not owner tenant
The endpoint confirms the file exists but does not confirm the tenant that owns it.
Report filters widen the result set silently
A filter or date range changes the output without preserving the active tenant scope.
How the export audit is tested
The audit follows the export lifecycle from request to file delivery so the team can see exactly where tenant scope falls away.
Map export workflows
Identify CSV, PDF, report generation, download, and signed URL paths that can leave the normal request path.
Create a baseline export
Run the workflow as the expected actor and capture the intended result, file path, and ownership trail.
Mutate tenant or actor context
Replay the same export with changed tenant, user, role, object, or download context to stress the boundary.
Compare generated artifacts
Inspect file contents, metadata, response body, file ownership, and delivery behavior instead of trusting the status code.
Confirm the boundary failure
Separate harmless output differences from real wrong-tenant exposure and mixed-record leakage.
Retest after the fix
Repeat the same workflow after remediation to confirm the leak is blocked or properly scoped.
Request-level evidence buyers can hand to engineering
The report is written like a buyer deliverable so engineering can reproduce, fix, and retest the export boundary without translation.
Tested workflow
CSV export, PDF report, signed download link, or queued export job
Actor and tenant context
Baseline tenant and mutated tenant with role and session details
Baseline request and export result
Original export request and clean artifact from the active tenant
Mutated request and export result
Replay with mutated tenant context and returned artifact
Exact artifact or download path involved
File name, object path, or signed URL used to deliver the export
Expected vs actual result
Only active-tenant records expected; wrong-tenant records observed
Data boundary violated
Tenant scope, file ownership, and delivery path all failed to stay bound
Severity and business impact
Data exposure can create customer trust, compliance, and escalation risk
Fix direction
Bind queries, jobs, storage, and signed URLs to tenant context
Retest result
The same replay no longer returns mixed tenant records
The report shows the exact workflow, the wrong-tenant artifact, and the retest result.
It does not just say export leak found. It shows which workflow leaked, which actor triggered it, what tenant boundary failed, which artifact contained the wrong records, and how the fix was verified.
Focused export leak review
A compact review for export workflows where generated files and delivery paths are the suspected tenant boundary risk.
From EUR 750
Best for CSV exports, PDF reports, signed URLs, queued report jobs, and customer data downloads
Included inside the full Multi Tenant Security Audit
Useful when generated files and delivery paths are the suspected tenant boundary risk
Focused export audit vs full multi tenant security audit
Use the focused export review when generated files are the main concern. Use the full audit when the export problem sits inside a broader tenant boundary model.
Narrower scope for export, report, and file delivery risk.
Broader tenant boundary review across the product.
Use this audit when exports are the risky path
This scope is a good fit when the most important question is whether generated files and delivery paths still obey tenant boundaries.
You have CSV or PDF exports in customer dashboards
Generated files need the same tenant scope as the screen that launched them, or the report path becomes a leak path.
Reports are generated through background jobs
Queued jobs often lose context after request acceptance, which makes tenant-bound job payloads important.
Download links are shared by email or notification
If the link is valid outside the right tenant or session, the file can travel beyond the intended boundary.
Customers export billing, usage, user, order, or compliance data
Those exports are sensitive because they often contain bulk records that are easy to forward or store.
Your API looks scoped but the report uses separate queries
A clean API response does not prove the export SQL, renderer, or storage path is tenant-aware.
You need proof before a release or buyer review
The audit gives you concrete evidence the team can hand to engineering or leadership before the issue is visible to customers.
Audit scopes and guides
Commercial paths
Use these pages to compare the focused export review with broader tenant isolation, cross tenant leakage, and sample report paths.
Multi Tenant Security Audit
Broader tenant boundary review across APIs, jobs, exports, and support workflows.
Review multi tenant security auditCross Tenant Data Leak Audit
Use this when export leakage is showing up alongside other shared data paths.
Review Cross Tenant Data Leak AuditSaaS Tenant Isolation Audit
Useful when the export issue is one part of a broader tenant boundary problem.
Review SaaS Tenant Isolation AuditSample SaaS Security Audit Report
See the format buyers receive, including request-level evidence and retest proof.
View sample reportSupporting reading
Read more about export data leaks in SaaS, cross tenant reporting leaks, and preventing cross tenant leakage.
Export data leaks in SaaS
Why CSV, PDF, signed URL, and download paths leak wrong tenant records.
Read export leak guideCross tenant reporting leaks
How report generation and aggregates expose data that the main API path did not.
Read reporting leak guidePreventing cross tenant leakage
The broader boundary pattern behind exports, reports, and shared responses.
Read leakage prevention guideQuestions buyers ask about export leakage
Short answers for teams deciding whether export risk needs a dedicated audit or the broader scope.
Is this part of a multi tenant security audit?
Yes. This is a focused scope for teams mainly worried about exports, reports, and downloads. For broader tenant boundary testing, use the Multi Tenant Security Audit.
Can exports leak even if the API endpoint is secure?
Yes. Export generation often uses separate queries, background workers, file storage, or signed URLs, so it can bypass the scope rules used by the normal endpoint.
Do you need production data?
No. The audit can use staging data, seeded test tenants, or controlled accounts as long as the export flow behaves like production.
Can a signed download link leak another tenant's data?
Yes. If the file, token, or retrieval path is not bound to the active tenant, the link can expose a file outside the intended account or session.
What types of exports are tested?
CSV files, PDF reports, report generation jobs, signed URLs, file downloads, and export workflows that run outside the normal request path.
What makes this different from checking one endpoint?
The audit follows the full export lifecycle: request, job creation, report generation, file storage, download, and retest.
What evidence do buyers get?
They get the tested workflow, actor and tenant context, baseline and mutated requests, the actual export result, and the fix direction.