The decision you make about multi-tenancy architecture on day one of building a SaaS product will constrain your decisions for years. We have seen well-funded companies make expensive architectural pivots at Series B because they chose the wrong tenancy model for their actual enterprise buyer. Here is how to make the right choice upfront.
The Three Models
Pool (Shared Everything)
All tenants share the same database tables, the same compute, and the same infrastructure. Tenant isolation is enforced entirely in the application layer via row-level security and scoped API keys. This is the cheapest model to operate and the fastest to build. It is the right choice when: your buyers are SMBs with no compliance requirements, you are pre-product-market-fit and need to move fast, and you can accept that a single noisy tenant can degrade performance for others.
- Lowest infrastructure cost per tenant
- Simplest to operate and scale
- Cannot satisfy enterprise compliance requirements (GDPR data isolation, SOC 2)
- Noisy neighbor risk affects all tenants
- Data breach affects all tenants simultaneously
Silo (Dedicated Everything)
Each tenant gets their own dedicated infrastructure: their own database instance, their own compute, their own VPC. The isolation is complete -there is no shared infrastructure between tenants. This model satisfies the most demanding enterprise compliance requirements (HIPAA, FedRAMP, ISO 27001) and eliminates noisy neighbor risk entirely. The trade-off is cost: you are running N copies of your infrastructure for N tenants.
Bridge (Shared Compute, Isolated Data)
The bridge model is the pragmatic compromise that most enterprise SaaS products eventually land on. Compute is shared -tenants run on the same application servers -but data is isolated. Each tenant gets their own database schema (schema-per-tenant) or their own database instance (database-per-tenant). Application-level multi-tenancy handles the rest. This model provides the data isolation guarantees that enterprise procurement teams demand while maintaining reasonable operational cost.
If your ICP is enterprise, build for the bridge model from day one. The cost of retrofitting isolation into a pool architecture is enormous -and you will have to do it the moment your first Fortune 500 client asks about SOC 2 compliance.
The Enterprise Compliance Test
The fastest way to determine which model you need is to answer one question: will any of your target customers ask for data isolation guarantees as a procurement condition? If yes, pool is disqualified. If enterprise clients will ask whether a data breach at tenant A could expose tenant B's data, the answer must be no -and only silo or bridge can provide that answer.
Migration Cost Is Asymmetric
Migrating from pool to bridge requires: adding a tenant identifier to every database table, updating every query to include tenant scoping, migrating existing data into the new schema structure, and validating that no cross-tenant data leakage exists after migration. At early scale this is painful but feasible. At 1,000 tenants and 50 database tables, it is a multi-month engineering project. Build for your destination model from the start.
