Understanding the difference between database per tenant, schema per tenant, and shared database architectures for B2B software.
When building a B2B SaaS application, your software will be used by multiple different companies (tenants). A single instance of your software must securely serve Company A and Company B, guaranteeing that Company A can never accidentally view Company B’s data.
This concept is called Multi-Tenancy. Choosing the right multi-tenant architecture on day one is one of the most critical decisions a CTO will make. Get it wrong, and you risk massive data leaks and unscalable infrastructure.
Here are the three primary architectures for building a multi-tenant SaaS, and how to choose the right one.
1. Database Per Tenant (Isolated)
In this model, every single customer gets their own completely separate database instance.
Pros:
- Ultimate Security: Data is physically isolated. A bug in your code cannot accidentally query Company B’s data because the connection string is entirely different.
- Customization & Backup: You can restore a backup for a single customer without affecting anyone else. You can even run different versions of the database schema for different enterprise clients.
Cons:
- High Cost & Maintenance: If you have 1,000 customers, you have 1,000 databases to manage, monitor, and scale. Running schema migrations (like adding a new column) across 1,000 databases is an operational nightmare.
Best for: Healthcare, FinTech, and Enterprise SaaS where strict compliance (HIPAA, SOC2) and data isolation are non-negotiable.
2. Schema Per Tenant
In this model, all customers share the same physical database server, but each customer gets their own isolated Schema (a logical grouping of tables).
Pros:
- Strong Logical Isolation: Data is highly separated, making accidental data leakage difficult.
- Easier Maintenance than Isolated: You only have one database server to monitor and scale.
Cons:
- Migration Complexity: You still have to run database migrations across hundreds of schemas. As the number of schemas grows, some database engines (like older versions of PostgreSQL) can experience performance degradation due to metadata bloat.
Best for: Mid-market B2B SaaS where customers demand strong data separation but the company cannot afford the overhead of spinning up separate physical databases.
3. Shared Database, Shared Schema (Pooled)
This is the most common architecture for modern startups. All customers share the exact same database and the exact same tables. Every table simply has a tenant_id or workspace_id column.
Pros:
- Extremely Scalable and Cheap: You only have one database to host, monitor, and scale.
- Simple Migrations: Adding a new column to a table is a single operation that instantly applies to all customers.
- Fast Onboarding: Creating a new customer simply involves inserting a new row into the
tenantstable. No infrastructure needs to be provisioned.
Cons:
- Security Risk: If a developer forgets to append
WHERE tenant_id = ?to a SQL query, Company A might see Company B’s data. - Noisy Neighbor Problem: If Company A runs a massive, poorly optimized data export, it consumes CPU and RAM, slowing down the application for Company B.
Best for: 95% of early-stage startups and consumer SaaS products. It provides the highest developer velocity and lowest infrastructure cost.
Mitigating the Risks of the Pooled Model
Because the Pooled (Shared) model is the best choice for most startups, engineering teams must implement strict safeguards.
At GrassHopper Digital, we enforce multi-tenancy at the ORM or Database Policy level, not the application logic level.
- Using features like PostgreSQL Row-Level Security (RLS), we ensure that the database engine itself rejects any query attempting to access a row that doesn’t match the current user’s authenticated
tenant_id. - This guarantees that even if a developer writes a sloppy query, a data leak is architecturally impossible.
Conclusion
Do not over-engineer your multi-tenant architecture. Start with a Shared Database model backed by strict Row-Level Security. As you move upmarket and sign massive enterprise contracts, you can always build dedicated “Isolated” instances for those specific high-paying clients while keeping your core user base on the pooled infrastructure.
