Multi-tenant Architecture

One platform. Clear tenant boundaries.

Every record carries an account_id. The control plane provisions and bills tenants but never sees their data. ON DELETE CASCADE means cancellation is final. The architecture matters when you're the customer and you're auditing it.

Read-only demo · no signup · realistic seeded records

Multi-tenant topology with control plane above four isolated tenant databases
Captured from a real seeded Azora workspace.

How it works

Tenant isolation by row, enforced through scoped data access.

Azora's multi-tenant model isn't "folders with permissions" or "workspaces with shared infrastructure". Every customer-data table carries a NOT NULL account_id column with an index, and every query is scoped through a helper that adds WHERE account_id = $tenant. The Control Plane (vendor-only) provisions, bills, and suspends tenants — it has no SELECT access to tenant rows.

01

Row-level isolation

account_id NOT NULL on every table. Indexed for query performance. Queries scoped via tenantDb() helper.

02

CP / Tenant separation

Control plane sits above; tenant DBs sit below. CP provisions + bills + suspends. Never reads tenant data.

03

ON DELETE CASCADE

Tenant cancellation triggers row-level purge of every record carrying that account_id. Final, transactional, audit-logged.

04

Per-tenant RBAC

Roles and permissions live within the tenant. CP has its own role hierarchy (vendor admin, billing, support).

05

Audit log per tenant

Every CRUD operation logged with actor + tenant. CP actions logged separately to admin_audit_log.

06

Self-host option

Run the same code on your own VPS. CP becomes optional. You hold the only database. Common for regulated industries.

Connected workflow

Multi-tenant Architecture works better when the context travels with it.

Azora keeps project work, quality evidence, people, suppliers, units, documents, and customer context on one shared operating core—without a sync job between every team.

  1. 01
    Row-level isolation

    account_id NOT NULL on every table. Indexed for query performance. Queries scoped via tenantDb() helper.

  2. 02
    CP / Tenant separation

    Control plane sits above; tenant DBs sit below. CP provisions + bills + suspends. Never reads tenant data.

  3. 03
    ON DELETE CASCADE

    Tenant cancellation triggers row-level purge of every record carrying that account_id. Final, transactional, audit-logged.

  4. 04
    Per-tenant RBAC

    Roles and permissions live within the tenant. CP has its own role hierarchy (vendor admin, billing, support).

“Before we built Azora's multi-tenant model, we evaluated three SaaS QMS vendors for our own use. Two said 'tenant-isolated' but couldn't show us the schema. That's why we ended up writing our own — and why Azora opens the column to anyone who asks.”
Theo K. · R&D Manager at Azora Optical Solutions — the team that built Azora
100%Records carry account_id
0Cross-tenant SELECTs in Control Plane
CASCADETenant deletion is final
Open beta nowFree, demo-first, and sales-provisioned within 24 hours.

At GA: one plan, every module—$29/paid editor/month annually or $35 monthly, 30-day full-feature trial, unlimited free read-only viewers, and a 5-editor minimum. Open-beta design partners lock $20/editor/month annually for 24 months from GA.

See it before you talk to sales

Audit the architecture, then talk to us.

Open the technical brief for the schema, the helpers, the audit-log structure, and the May 2026 third-party audit findings. Then email us with whatever's missing.