diff --git a/app/Policies/CustomerPolicy.php b/app/Policies/CustomerPolicy.php
index aa2feccb..02ad2fa3 100644
--- a/app/Policies/CustomerPolicy.php
+++ b/app/Policies/CustomerPolicy.php
@@ -32,7 +32,7 @@ class CustomerPolicy
      */
     public function view(User $user, Customer $customer): bool
     {
-        if (BouncerFacade::can('view-customer', $customer)) {
+        if (BouncerFacade::can('view-customer', $customer) && $user->hasCompany($customer->company_id)) {
             return true;
         }
 
@@ -60,7 +60,7 @@ class CustomerPolicy
      */
     public function update(User $user, Customer $customer): bool
     {
-        if (BouncerFacade::can('edit-customer', $customer)) {
+        if (BouncerFacade::can('edit-customer', $customer) && $user->hasCompany($customer->company_id)) {
             return true;
         }
 
@@ -74,7 +74,7 @@ class CustomerPolicy
      */
     public function delete(User $user, Customer $customer): bool
     {
-        if (BouncerFacade::can('delete-customer', $customer)) {
+        if (BouncerFacade::can('delete-customer', $customer) && $user->hasCompany($customer->company_id)) {
             return true;
         }
 
@@ -88,7 +88,7 @@ class CustomerPolicy
      */
     public function restore(User $user, Customer $customer): bool
     {
-        if (BouncerFacade::can('delete-customer', $customer)) {
+        if (BouncerFacade::can('delete-customer', $customer) && $user->hasCompany($customer->company_id)) {
             return true;
         }
 
@@ -102,7 +102,7 @@ class CustomerPolicy
      */
     public function forceDelete(User $user, Customer $customer): bool
     {
-        if (BouncerFacade::can('delete-customer', $customer)) {
+        if (BouncerFacade::can('delete-customer', $customer) && $user->hasCompany($customer->company_id)) {
             return true;
         }
 
diff --git a/tests/Feature/Admin/CustomerTest.php b/tests/Feature/Admin/CustomerTest.php
index 33f3ec09..f9bfe2ef 100644
--- a/tests/Feature/Admin/CustomerTest.php
+++ b/tests/Feature/Admin/CustomerTest.php
@@ -2,6 +2,7 @@
 
 use App\Http\Controllers\V1\Admin\Customer\CustomersController;
 use App\Http\Requests\CustomerRequest;
+use App\Models\Company;
 use App\Models\Customer;
 use App\Models\Invoice;
 use App\Models\User;
@@ -157,3 +158,26 @@ test('delete multiple customer', function () {
             'success' => true,
         ]);
 });
+
+test('cannot view customer from another company', function () {
+    $otherCompany = Company::factory()->create();
+    $otherCustomer = Customer::factory()->create([
+        'company_id' => $otherCompany->id,
+    ]);
+
+    getJson("api/v1/customers/{$otherCustomer->id}")
+        ->assertForbidden();
+});
+
+test('cannot update customer from another company', function () {
+    $otherCompany = Company::factory()->create();
+    $otherCustomer = Customer::factory()->create([
+        'company_id' => $otherCompany->id,
+    ]);
+
+    putJson("api/v1/customers/{$otherCustomer->id}", [
+        'name' => 'Hacked Name',
+        'email' => 'hacked@example.com',
+    ])->assertForbidden();
+});
+