RCWMAS

Whitepaper22 min read

Multi-Tenant Architecture Patterns for B2B SaaS

A deep-dive into silo, pool, and hybrid tenancy models — and how RCWMAS chose its isolation strategy across six products.

RCWMAS Engineering·June 1, 2025

architecture multi-tenancy saas database postgresql

Tenancy Models: A Framework

Every B2B SaaS application must make a fundamental architectural decision before writing the first line of data logic: how does the system isolate data and operations between its tenants?

The answer determines performance ceilings, cost floors, compliance posture, and the complexity of every data-related feature you will build for the lifetime of the product. Getting it wrong is expensive to reverse.

This whitepaper presents the three primary tenancy models, the conditions under which each is appropriate, and the hybrid approach that RCWMAS uses across its six-product portfolio.

The Silo Model

In a silo (or isolated) tenancy model, each tenant has a completely separate database — sometimes a separate application stack. Data isolation is absolute by construction.

When to use it:

Regulated industries with strict data residency requirements

Enterprise customers who contractually require data isolation

Products where tenants are large organisations with high data volumes

Tradeoffs:

Infrastructure cost scales linearly with tenant count

Schema migrations must be coordinated across all tenant databases

Operational complexity is high

The Pool Model

In a pool (or shared) tenancy model, all tenants share a single database with a tenant_id column as the isolation boundary. Data isolation is enforced by application logic and query filters.

When to use it:

Products with large numbers of small tenants (SMB-focused tools)

Cost efficiency as a primary constraint

Homogeneous tenant profiles with similar data volumes

Risk:

A missing WHERE tenant_id = ? clause is a data breach. This risk must be managed architecturally, not just through code review.

The Hybrid Model

A hybrid model allocates tenants to tiers based on their characteristics. Small tenants share a pooled tier; large or regulated tenants are promoted to an isolated silo automatically or on-demand.

This is the model we use at RCWMAS. It allows us to serve the long tail of smaller customers cost-effectively while meeting enterprise and compliance requirements for larger customers without architectural compromise.

Row-Level Security as Architecture

For the pooled tier, PostgreSQL's Row-Level Security feature provides a strong architectural guarantee against cross-tenant data access — moving the tenancy enforcement from application code into the database layer.

CREATE POLICY tenant_isolation ON documents
  USING (tenant_id = current_setting('app.current_tenant')::uuid);

This approach means a query that forgets the tenant filter fails silently rather than returning cross-tenant data — a significant improvement in the risk profile for pooled architectures.

Migration Considerations

Moving an existing product from pool to silo as a tenant grows is one of the most disruptive operations in B2B SaaS. Planning the data portability model from day one — even if you begin with pooled tenancy — dramatically reduces the cost of this transition later.

RCWMAS builds and operates multi-tenant platforms across legal, construction, and infrastructure verticals.

Back to Research & Publications

RCWMAS

Research & Publications

Whitepaper22 min read

Multi-Tenant Architecture Patterns for B2B SaaS

A deep-dive into silo, pool, and hybrid tenancy models — and how RCWMAS chose its isolation strategy across six products.

RCWMAS Engineering·June 1, 2025

architecture multi-tenancy saas database postgresql

Tenancy Models: A Framework

Every B2B SaaS application must make a fundamental architectural decision before writing the first line of data logic: how does the system isolate data and operations between its tenants?

This whitepaper presents the three primary tenancy models, the conditions under which each is appropriate, and the hybrid approach that RCWMAS uses across its six-product portfolio.

The Silo Model

In a silo (or isolated) tenancy model, each tenant has a completely separate database — sometimes a separate application stack. Data isolation is absolute by construction.

When to use it:

Regulated industries with strict data residency requirements

Enterprise customers who contractually require data isolation

Products where tenants are large organisations with high data volumes

Tradeoffs:

Infrastructure cost scales linearly with tenant count

Schema migrations must be coordinated across all tenant databases

Operational complexity is high

The Pool Model

In a pool (or shared) tenancy model, all tenants share a single database with a tenant_id column as the isolation boundary. Data isolation is enforced by application logic and query filters.

When to use it:

Products with large numbers of small tenants (SMB-focused tools)

Cost efficiency as a primary constraint

Homogeneous tenant profiles with similar data volumes

Risk:

A missing WHERE tenant_id = ? clause is a data breach. This risk must be managed architecturally, not just through code review.

The Hybrid Model

A hybrid model allocates tenants to tiers based on their characteristics. Small tenants share a pooled tier; large or regulated tenants are promoted to an isolated silo automatically or on-demand.

Row-Level Security as Architecture

CREATE POLICY tenant_isolation ON documents
  USING (tenant_id = current_setting('app.current_tenant')::uuid);

This approach means a query that forgets the tenant filter fails silently rather than returning cross-tenant data — a significant improvement in the risk profile for pooled architectures.

Migration Considerations

RCWMAS builds and operates multi-tenant platforms across legal, construction, and infrastructure verticals.

Back to Research & Publications