One platform. N tenants. Zero leak.
Every record carries a tenant_id. The control plane provisions and bills tenants but never sees their data. ON DELETE CASCADE means cancellation is final. The architecture matters when you're the customer and you're auditing it.
Tenant isolation by row, enforced at the database.
Azora's multi-tenant model isn't "folders with permissions" or "workspaces with shared infrastructure". Every customer-data table carries a NOT NULL account_id column with an index, and every query is scoped through a helper that adds WHERE account_id = $tenant. The Control Plane (vendor-only) provisions, bills, and suspends tenants — it has no SELECT access to tenant rows.
Row-level isolation
account_id NOT NULL on every table. Indexed for query performance. Queries scoped via tenantDb() helper.
CP / Tenant separation
Control plane sits above; tenant DBs sit below. CP provisions + bills + suspends. Never reads tenant data.
ON DELETE CASCADE
Tenant cancellation triggers row-level purge of every record carrying that tenant_id. Final, transactional, audit-logged.
Per-tenant RBAC
Roles and permissions live within the tenant. CP has its own role hierarchy (vendor admin, billing, support).
Audit log per tenant
Every CRUD operation logged with actor + tenant. CP actions logged separately to admin_audit_log.
Self-host option
Run the same code on your own VPS. CP becomes optional. You hold the only database. Common for regulated industries.
"When we evaluated SaaS quality systems, every vendor said 'tenant-isolated' but couldn't show us the schema. Azora showed us the column. We bought it the same day."
Andrew M., R&D Manager100%
Records carry tenant_id
0
Cross-tenant SELECTs in Control Plane
CASCADE
Tenant deletion is final
Audit the architecture, then sign up.
Talk to sales for a security review. We'll walk you through the schema, the helpers, and the audit logs.