Building a B2B SaaS platform presents a classic architectural challenge: how do you serve hundreds or thousands of customers from a single application instance while ensuring their data is completely isolated? This is especially critical in the HealthTech space, where platforms that track employee wellness data must adhere to strict security and privacy standards, often aligning with principles found in regulations like HIPAA.
In this case study, we'll design the database architecture for "WellnessCorp," a fictional B2B wellness platform that helps companies track employee fitness challenges and mental health check-ins. We'll tackle the multi-tenancy problem head-on, choosing an efficient model and implementing ironclad data separation directly within our PostgreSQL database.
We will build a robust, scalable, and secure multi-tenant database schema using a shared-schema model fortified by PostgreSQL's powerful Row-Level Security (RLS) feature.
Prerequisites:
- Basic understanding of SQL and database concepts.
- Familiarity with PostgreSQL (version 9.5+ for RLS).
- Access to a running PostgreSQL instance for testing the examples.
Understanding the Problem: The Multi-Tenancy Trilemma
When designing a multi-tenant database, you generally face three main choices, each with its own trade-offs between isolation, cost, and operational complexity.
- Database per Tenant (Silo): The highest level of isolation. Each customer gets their own database. This offers maximum security but is expensive, resource-intensive, and a nightmare to manage and migrate at scale.
- Schema per Tenant (Bridge): A middle ground. All customers share a single database, but each has their own schema (a logical grouping of tables). This provides good isolation but can become complex to manage with a large number of tenants, and some PostgreSQL performance issues can arise with thousands of schemas.
- Shared Schema, Shared Tables (Pool): The most cost-effective and scalable approach. All customers share the same tables, and a specific column (e.g.,
organization_id) distinguishes which row belongs to which tenant. The main challenge here is enforcing data isolation. A single bug in your application code (like forgetting aWHERE organization_id = ?clause) could expose one tenant's data to another.
For WellnessCorp, we'll choose the Shared Schema model for its scalability and cost-efficiency. To solve the data leakage problem, we won't rely on application code. Instead, we'll delegate the responsibility of data isolation to the database itself using Row-Level Security.
Prerequisites
Before we start, ensure you have PostgreSQL installed. Let's create our main database and a dedicated, non-superuser role for our application to use. This is a crucial security practice.
-- Connect as a superuser (e.g., 'postgres') to run these commands
-- Create a new database for our platform
CREATE DATABASE wellness_corp_db;
-- Create a dedicated role for our application with login privileges
-- NEVER use a superuser for your application's day-to-day operations
CREATE ROLE wellness_app WITH LOGIN PASSWORD 'a_very_secure_password';
-- Grant the ability to connect to the new database
GRANT CONNECT ON DATABASE wellness_corp_db TO wellness_app;
-- Now, connect to the new database to continue setup
\c wellness_corp_db
-- Grant usage on the public schema to our app role
GRANT USAGE ON SCHEMA public TO wellness_app;
Expected Output:
You should see CREATE DATABASE, CREATE ROLE, and GRANT confirmations, and your psql prompt should change to wellness_corp_db=>.
Step 1: Designing the Core Multi-Tenant Schema
What we're doing
First, we'll define the core tables for our platform. The key design principle is that every table containing tenant-specific data must have an organization_id column. This column is the foundation of our multi-tenancy strategy.
Implementation
Let's create the tables for organizations (our tenants), users, and wellness entries.
-- src/db/schema.sql
-- Stores our tenants (corporate clients)
CREATE TABLE organizations (
id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
name TEXT NOT NULL,
created_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
);
-- Stores the employees of each organization
CREATE TABLE users (
id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
organization_id UUID NOT NULL REFERENCES organizations(id) ON DELETE CASCADE,
email TEXT NOT NULL,
password_hash TEXT NOT NULL,
created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
UNIQUE(organization_id, email) -- Email must be unique within an organization
);
-- Stores wellness data points for each user
CREATE TABLE wellness_entries (
id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
user_id UUID NOT NULL REFERENCES users(id) ON DELETE CASCADE,
organization_id UUID NOT NULL REFERENCES organizations(id) ON DELETE CASCADE,
entry_type TEXT NOT NULL, -- e.g., 'steps', 'mood_check_in'
value INTEGER NOT NULL,
created_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
);
-- Grant our application role permissions on these tables
GRANT SELECT, INSERT, UPDATE, DELETE ON organizations, users, wellness_entries TO wellness_app;
How it works
organizations: This table is our tenant directory.users: Each user is directly linked to anorganization_id. TheON DELETE CASCADEensures that if a company account is deleted, all its users are automatically removed.wellness_entries: This table also containsorganization_id. While we could technically join back to theuserstable to find the organization, duplicating it here simplifies our security policies and can improve performance by avoiding extra joins for security checks.
Step 2: Implementing Row-Level Security (RLS)
What we're doing
This is where the magic happens ✨. We will enable RLS on our tables and create security policies. These policies are rules enforced by PostgreSQL for every single query. Our rule will be simple: "A user can only see data that matches their organization_id."
Implementation
First, we'll need a way to tell PostgreSQL which tenant is currently active for any given session. We'll use a session variable, which is a temporary setting for the current database connection.
-- In your application's connection setup, after a user authenticates:
-- SET session.current_organization_id = 'the-user-org-id-from-db';
Now, let's enable RLS and create the policies. These must be done by a superuser or the table owner.
-- src/db/security_policies.sql
-- Enable RLS on the tables
ALTER TABLE users ENABLE ROW LEVEL SECURITY;
ALTER TABLE wellness_entries ENABLE ROW LEVEL SECURITY;
-- Create a policy to allow users to see ONLY the data from their own organization
CREATE POLICY tenant_isolation_policy ON users
FOR ALL
USING (organization_id = current_setting('session.current_organization_id')::UUID);
CREATE POLICY tenant_isolation_policy ON wellness_entries
FOR ALL
USING (organization_id = current_setting('session.current_organization_id')::UUID);
How it works
ALTER TABLE ... ENABLE ROW LEVEL SECURITY;: This command activates RLS for the specified table. By default, this is a "deny-all" policy, so no rows will be visible until a permissive policy is created.CREATE POLICY ...: We define a policy namedtenant_isolation_policy.FOR ALL: This applies the policy toSELECT,INSERT,UPDATE, andDELETEcommands.USING (...): This is the core of the policy. For any existing row to be visible (forSELECT,UPDATE,DELETE), this condition must be true. We check if the row'sorganization_idmatches the ID we've set in our session variable.current_setting('session.current_organization_id')::UUID: This function safely retrieves our session variable and casts it to theUUIDtype for comparison.
Putting It All Together: A Practical Test
Let's test our setup to see RLS in action.
1. Insert some sample data (as a superuser)
-- Insert two different companies
INSERT INTO organizations (id, name) VALUES
('11111111-1111-1111-1111-111111111111', 'Innovate Inc.'),
('22222222-2222-2222-2222-222222222222', 'Synergy Corp');
-- Insert users for each company
INSERT INTO users (organization_id, email, password_hash) VALUES
('11111111-1111-1111-1111-111111111111', 'huifer97@163.com', 'hash1'),
('22222222-2222-2222-2222-222222222222', 'huifer97@163.com', 'hash2');
2. Try to select data without setting the tenant
Connect as our wellness_app role and try to see the users.
SET ROLE wellness_app;
SELECT * FROM users;
Expected Output:
-- (0 rows)
Success! RLS is working. Since we haven't set our session variable, the policy condition is not met, and the database acts as if the table is empty.
3. Select data as a specific tenant
Now, let's pretend we are an authenticated user from "Innovate Inc."
-- Set the tenant context for this session
SET session.current_organization_id = '11111111-1111-1111-1111-111111111111';
-- Now, run the query again
SELECT * FROM users;
Expected Output:
-- id | organization_id | email | ...
-- --------------------------------------+--------------------------------------+--------------------+----
-- ... | 11111111-1111-1111-1111-111111111111 | huifer97@163.com | ...
-- (1 row)
It works perfectly! Our connection is now "scoped" to Innovate Inc., and we can only see their data. Bob from Synergy Corp is completely invisible to us. This isolation is enforced by the database, dramatically reducing the risk of accidental data leaks from the application layer.
Security Best Practices for a Wellness Platform
Handling health-related data requires extra diligence. Here are key security considerations:
- Encryption: Always enforce SSL/TLS for data in transit (
sslmode=requirein connection strings). For data at rest, use full-disk encryption on your database server or leverage managed database services (like AWS RDS) that handle this for you. - HIPAA Compliance: While PostgreSQL can be made HIPAA compliant, it's not compliant out of the box. Key responsibilities include:
- Access Control: Our RLS implementation is a powerful form of access control.
- Audit Logging: Use extensions like
pgauditto create a detailed log of all access and modifications to sensitive data. - Data Anonymization: For analytics, use data masking or tokenization techniques to de-identify Protected Health Information (PHI). The
pgcryptoextension can be useful.
- Least Privilege: The
wellness_approle we created should only have the minimum permissions necessary. It should not be a superuser or have rights to alter tables in production.
Alternative Approaches
While RLS is a fantastic fit for our use case, it's worth knowing the alternatives.
- Schema per Tenant:
- Pros: Stronger logical separation. Can be easier to backup/restore a single tenant's data.
- Cons: More complex migration scripts (must loop through all schemas). Can have performance overhead with thousands of tenants. Custom application routing logic is needed to point to the correct schema.
- Application-Level Enforcement:
- Pros: No complex database features needed. Can be implemented in any database.
- Cons: Extremely error-prone. One forgotten
WHEREclause in one of thousands of queries can cause a massive data breach. It puts the entire burden of security on the developers for every single line of code they write.
Conclusion
We have successfully designed a multi-tenant database for a B2B wellness platform using a scalable shared-schema approach. By leveraging PostgreSQL's Row-Level Security, we moved the critical responsibility of data isolation from the application layer to the database itself, creating a more secure and robust system.
This architecture provides the cost-benefits of a shared infrastructure while delivering the strong data guarantees needed for a modern, secure SaaS application, especially in a sensitive domain like HealthTech.
Next Steps for Readers:
- Try adding a
WITH CHECKclause to the policies to enforce that new data can only be inserted for the current tenant. - Explore using JSONB to store flexible wellness data in the
wellness_entriestable. - Investigate the
pgauditextension to set up a comprehensive audit trail.
Resources
- Official Documentation: PostgreSQL Row-Level Security Policies
- SaaS Architectures: AWS SaaS Tenant Isolation Strategies