Multi-tenancy — serving multiple customers from shared infrastructure — is what makes SaaS economics work. Without it, every customer needs dedicated infrastructure, dedicated operations, and dedicated support. With it, you amortise costs across your entire customer base and deliver updates to everyone simultaneously.
The architecture decisions you make about multi-tenancy affect everything: security, performance, compliance, pricing, and your ability to serve both SMB and enterprise customers from the same platform.
The Multi-Tenancy Spectrum
Multi-tenancy isn't binary. It's a spectrum from fully shared to fully isolated:
Model 1: Shared Everything
All tenants share the same application instances, the same database, and the same infrastructure. Tenants are separated by a tenant ID in every query.
Pros: Lowest cost per tenant. Simplest deployment. Single codebase, single deployment. Cons: Noisy neighbor risk. Security isolation depends entirely on application logic. Compliance concerns for regulated industries. Best for: SMB SaaS, collaboration tools, content management.
Model 2: Shared Application, Separate Database
All tenants share the same application instances, but each tenant has its own database (or schema).
Pros: Better data isolation. Easier backup and restore per tenant. Better compliance posture. Cons: More databases to manage. Connection pool management complexity. Slightly higher cost. Best for: Mid-market SaaS, applications handling sensitive data.
Model 3: Shared Infrastructure, Separate Compute
Each tenant gets their own application instances but shares the underlying infrastructure (Kubernetes cluster, networking).
Pros: Strong workload isolation. No noisy neighbor risk. Tenant-specific scaling. Cons: Higher cost per tenant. More complex deployment and management. Best for: Enterprise SaaS, applications with variable workload patterns.
Model 4: Fully Isolated (Silo)
Each tenant gets dedicated infrastructure — compute, storage, networking.
Pros: Maximum isolation. Full compliance. No shared anything. Cons: Highest cost. Doesn't scale to thousands of tenants. Complex lifecycle management. Best for: Enterprise premium tier, regulated industries (healthcare, government, finance).
Choosing the Right Model
| Factor | Shared Everything | Shared App, Separate DB | Separate Compute | Fully Isolated |
|---|---|---|---|---|
| Cost per tenant | Lowest | Low-Medium | Medium-High | Highest |
| Data isolation | Application-level | Database-level | Application + compute | Full |
| Noisy neighbor risk | High | Medium | Low | None |
| Compliance readiness | Basic | Good | Strong | Maximum |
| Max tenants | 100K+ | 10K+ | 1K+ | 100s |
| Operational complexity | Low | Medium | High | Highest |
Most SaaS companies need a hybrid approach: Shared everything for SMB/free tier, separate database for mid-market, and separate compute or silo for enterprise. Your architecture should support multiple isolation levels.
Data Isolation Patterns
Row-Level Security
Every table has a tenant_id column. Every query includes a tenant filter. The application ensures no query can access data across tenants.
Implementation:
-- PostgreSQL Row-Level Security
ALTER TABLE orders ENABLE ROW LEVEL SECURITY;
CREATE POLICY tenant_isolation ON orders
USING (tenant_id = current_setting('app.current_tenant')::uuid);
Risk: A single missing WHERE clause or a bug in the tenant context can expose data across tenants. This is the #1 multi-tenancy security vulnerability.
Mitigation: Use database-level row security policies (PostgreSQL RLS) rather than relying solely on application code. Test with automated tenant isolation tests.
Schema-Per-Tenant
Each tenant gets their own database schema within a shared database instance.
Pros: Stronger isolation than row-level. Easier to reason about. Schema migrations per tenant. Cons: Schema count limits (varies by database). Connection management complexity. Migrations must be coordinated across schemas.
Database-Per-Tenant
Each tenant gets their own database instance.
Pros: Strongest data isolation without full silo. Easy backup/restore per tenant. No cross-tenant query risk. Cons: Connection pool management. Higher infrastructure cost. Migrations across all databases.
The Noisy Neighbor Problem
In shared infrastructure, one tenant's heavy workload can degrade performance for all tenants. Solutions:
- Rate limiting per tenant: API rate limits based on tenant tier
- Resource quotas: CPU and memory limits per tenant (Kubernetes resource quotas)
- Queue isolation: Separate processing queues for heavy tenants
- Database connection pools per tenant: Prevent one tenant from exhausting connections
- Monitoring and alerting: Detect noisy tenants and throttle automatically
- Fair scheduling: Weighted queue processing that ensures all tenants get their fair share
Tenant Onboarding Automation
At scale, onboarding a new tenant must be fully automated:
- Provisioning: Create tenant record, configure database (or schema), set up storage
- Configuration: Apply default settings, configure branding, set up integrations
- Data migration: Import existing data if migrating from another system
- Validation: Automated tests to verify the tenant environment is functional
- Notification: Welcome email, getting started guide, admin access
Target: New tenant provisioned and accessible in under 5 minutes. Any manual step is a scalability bottleneck.
Tenant-Aware Caching
Caching in multi-tenant systems requires tenant isolation:
Cache key strategy:
tenant:{tenant_id}:resource:{resource_type}:{resource_id}
Cache invalidation: When a tenant's data changes, only invalidate that tenant's cache entries. Global invalidation is too expensive.
Cache sizing: Set per-tenant cache limits to prevent one tenant from consuming the entire cache.
Compliance Implications
Data Residency
Some tenants may require data to stay in specific geographic regions. Architecture must support:
- Regional database deployment (tenant data in the required region)
- Regional processing (compute in the same region as data)
- Metadata isolation (even metadata like tenant name may be subject to residency)
Audit and Access Logging
- Log all data access with tenant context
- Provide tenant-specific audit logs (tenants can review who accessed their data)
- Retain logs per tenant regulatory requirements (some tenants may require longer retention)
Data Deletion
When a tenant leaves, all their data must be completely removed:
- Database-per-tenant: Drop the database
- Schema-per-tenant: Drop the schema
- Row-level: Delete all rows with the tenant_id (verify with counts)
- Backups: Ensure tenant data is removed from backups within the retention period
- Logs: Consider tenant data in log files
Cost Modelling
| Component | Shared Model | Isolated Model |
|---|---|---|
| Compute (per tenant) | ~$5-20/month | ~$50-500/month |
| Database (per tenant) | ~$1-5/month | ~$20-200/month |
| Storage (per tenant) | ~$0.50-5/month | ~$2-20/month |
| Operations (per tenant) | ~$0.10/month | ~$5-50/month |
| Total per tenant | ~$7-30/month | ~$77-770/month |
The cost differential drives the pricing strategy. Enterprise customers paying $5K+/month can justify isolated infrastructure. SMB customers paying $50/month cannot.
Multi-tenant architecture is the foundation of SaaS scalability and economics. The decisions you make here affect security, compliance, performance, and pricing for the life of your product. If you're designing multi-tenant architecture, let's talk.