TechnologyMarch 6, 2026·10 min read

Multi-Tenancy in SaaS: Data Isolation with PostgreSQL

Citai Team

March 6, 2026 · 10 min read

What is multi-tenancy and why does it matter?

Multi-tenancy means multiple organizations (tenants) use the same application and infrastructure, but each sees only their data. It’s the standard SaaS model — one database, one server, but total isolation between customers.

Multi-tenancy: 3 tenants (E-commerce, SaaS, Education) sharing infrastructure with completely isolated data

Why not separate databases?

Approach Pros Cons
Separate DBs Physical isolation Expensive, hard to maintain, N migrations
Schema per tenant Good isolation Complex, N migrations
tenant_id (Citai) Simple, scalable, 1 migration Requires query discipline

Citai uses the tenant_id approach — same PostgreSQL database, but every record has a tenant_id guaranteeing logical isolation.

Isolation by tenant_id: no exceptions

Every table has a tenant_id column. Every query always filters by tenant.

Layer 1: Business data

SELECT * FROM knowledge_bases WHERE tenant_id = :current_tenant;
SELECT * FROM conversations WHERE tenant_id = :current_tenant;

Isolated tables: KBs, documents, chunks, FAQs, conversations, messages, feedback, usage logs, API keys, widget sessions.

Layer 2: Metrics and analytics

Per-tenant. A tenant_admin’s dashboard shows only their organization’s data.

Layer 3: Super admin isolation

Super admin isolation: The super_admin is the platform operator. Sees aggregate metrics (total revenue, tenant count) but CANNOT see conversations, documents, FAQs, or content from any other tenant.

Hierarchical role system

Role Scope Can see
super_admin Platform Tenants, plans, aggregate revenue, global config
tenant_admin Organization KBs, users, analytics, RAG config, API keys
member Their access Chat, assigned KBs (public + their groups)

KB access control

Within each tenant: Public (all members), Private (creator + admins), Groups (specific group members).

Anti-fraud plan enforcement

Resource Free Starter Pro
AI queries/month 50 500 5,000
Knowledge bases 2 5 20
Documents 10 50 500
API keys 1 3 10

Atomic counters

Usage counters use atomic UPSERT to prevent race conditions. Counters only increment (never decrement). Redis handles SSE streaming concurrency. Over limit → HTTP 403 + upgrade_required event. FAQs are always free.

FAQ-only fallback: When a tenant exhausts AI query quota, FAQs keep working. Only LLM queries show an upgrade message.

Additional security

  • API keys: SHA-256 hashed storage
  • Email tokens: Hashed (forgot password, verification, invites)
  • JWT rotation: Access 30min, refresh 7d with rotation
  • Rate limiting: Redis sliding window on sensitive endpoints
100%data isolation
3role levels
SHA-256hashed API keys
UPSERTanti-fraud counters

Enterprise security from the Free plan. Create account →

Try Citai for free

Create your intelligent knowledge base in minutes. No credit card required.

Create free account