diff --git a/src/permit/permit.controller.ts b/src/permit/permit.controller.ts
index 47d7470..cc1323f 100644
--- a/src/permit/permit.controller.ts
+++ b/src/permit/permit.controller.ts
@@ -29,7 +29,7 @@ export async function getPermitHandler(req: FastifyRequest, res: FastifyReply) {
   const { permitId } = req.params as { permitId: string };
 
   try {
-    const permit = await getPermit(permitId, req.user.tenantId);
+    const permit = await getPermit(permitId, req.user);
     if (permit === null)
       return res.code(404).send({ error: "resource not found" });
 
diff --git a/src/permit/permit.service.ts b/src/permit/permit.service.ts
index 91d684c..6472003 100644
--- a/src/permit/permit.service.ts
+++ b/src/permit/permit.service.ts
@@ -91,15 +91,20 @@ export async function createPermit(
   }
 }
 
-export async function getPermit(permitId: string, tenantId: string) {
-  return await permitModel
+export async function getPermit(permitId: string, user: AuthenticatedUser) {
+  const permit = await permitModel
     .findOne({
-      $and: [{ tenantId: tenantId }, { pid: permitId }],
+      $and: [{ tenantId: user.tenantId }, { pid: permitId }],
     })
     //.populate({ path: "county", select: "pid name avatar" })
     //.populate({ path: "client", select: "pid name avatar" })
     .populate({ path: "assignedTo", select: "pid name avatar" })
     .populate({ path: "createdBy", select: "pid name avatar" });
+
+  if (permit && user.role == "client" && user.orgId != permit.client.toString())
+    return null;
+
+  return permit;
 }
 
 export async function listPermits(
diff --git a/src/processed/processed.route.ts b/src/processed/processed.route.ts
index eb747e9..18b705b 100644
--- a/src/processed/processed.route.ts
+++ b/src/processed/processed.route.ts
@@ -68,7 +68,7 @@ export async function processedRoutes(fastify: FastifyInstance) {
       const { permitId } = req.params as { permitId: string };
 
       try {
-        const permit = await getProcessedPermit(permitId, req.user.tenantId);
+        const permit = await getProcessedPermit(permitId, req.user);
         return res.code(200).send(permit);
       } catch (err) {
         return err;
diff --git a/src/processed/processed.service.ts b/src/processed/processed.service.ts
index c3e4b11..39424b9 100644
--- a/src/processed/processed.service.ts
+++ b/src/processed/processed.service.ts
@@ -16,13 +16,21 @@ import { createAlert } from "../alert/alert.service";
 import { getUser } from "../user/user.service";
 import { orgModel } from "../organization/organization.schema";
 
-export async function getProcessedPermit(permitId: String, tenantId: String) {
-  return await processedModel
+export async function getProcessedPermit(
+  permitId: String,
+  user: AuthenticatedUser
+) {
+  const permit = await processedModel
     .findOne({
-      $and: [{ tenantId: tenantId }, { pid: permitId }],
+      $and: [{ tenantId: user.tenantId }, { pid: permitId }],
     })
     .populate({ path: "assignedTo", select: "pid name avatar" })
     .populate({ path: "createdBy", select: "pid name avatar" });
+
+  if (permit && user.role == "client" && user.orgId != permit.client.toString())
+    return null;
+
+  return permit;
 }
 
 export async function updateProcessed(