Multi-tenancy is the architecture choice that defines the operational shape of a SaaS product. Pick well and you can scale from 10 to 10,000 customers without re-architecting. Pick badly and you re-do it twice as you grow. This post covers the four patterns we see in practice, what each costs, and when each fits.
The patterns at a glance
Four multi-tenancy patterns
Most production SaaS products use Pattern A or Pattern D.
Pattern A: Shared schema with tenant_id
The default for almost every B2B SaaS.
Every table has a tenant_id column. Every query is scoped by tenant. Postgres row-level security enforces the scope at the database layer, not just the application layer.
CREATE TABLE invoices (
id uuid PRIMARY KEY,
tenant_id uuid NOT NULL REFERENCES tenants(id),
amount numeric NOT NULL,
...
);
ALTER TABLE invoices ENABLE ROW LEVEL SECURITY;
CREATE POLICY tenant_isolation ON invoices
USING (tenant_id = current_setting('app.tenant_id')::uuid);
Every query, the application sets app.tenant_id. The database refuses to return rows from other tenants.
Pros:
- One database. One migration. One backup. One restore.
- Scales to thousands of tenants on a single instance.
- Cheap to operate.
- Simplest mental model.
Cons:
- One bad query can starve the database for everyone.
- A bug in the application code can leak across tenants (mitigated by RLS).
- No hard isolation for compliance-sensitive customers.
Pattern B: Schema per tenant
One Postgres database. One schema per tenant. The same table structure inside each schema.
The application picks the schema at request time based on the tenant.
Pros:
- Stronger isolation than tenant_id. Cross-tenant queries are physically impossible without explicit cross-schema syntax.
- Per-tenant migrations are possible (rare but useful for enterprise customers).
- Backup and restore can be per-tenant.
Cons:
- Migrations get harder. You're migrating N schemas instead of 1.
- Postgres has practical limits on schema count (depends on version, but past ~10,000 you feel it).
- Connection pooling is trickier.
- More moving parts to operate.
Schema-per-tenant fits when you have hundreds (not thousands) of tenants and they each have meaningful data with mild isolation needs.
Pattern C: Database per tenant
One Postgres database per tenant. Total isolation. Often required for regulated customers.
Pros:
- Strongest isolation. A SQL injection in one tenant's database has no path to another's.
- Per-tenant compute and IOPS allocation.
- Per-tenant SLAs are straightforward.
- Per-tenant backup and restore is trivial.
Cons:
- Operational tax is significant. Migrations across N databases. N sets of credentials. N monitoring dashboards.
- Cost. Even a small RDS instance has a base cost. Multiply by N tenants.
- Doesn't fit for self-serve tenants. Only for enterprise.
Database-per-tenant fits when each tenant pays $50k+ per year and demands it.
Pattern D: Hybrid
The pragmatic answer for SaaS products that span self-serve and enterprise:
- Pattern A for the long tail of self-serve customers.
- Pattern B or C for the handful of enterprise customers who pay enough to justify it.
The application layer abstracts over the difference. Tenant config in a tenants table includes a "tenancy mode" field. The data-access layer picks the right pattern at request time.
Most growth-stage SaaS products land here without planning to. Worth designing for early so it's not a panic when the first enterprise contract demands isolation.
Operational concerns by pattern
Operational impact by pattern
Tenant isolation testing
Whatever pattern you pick, test it.
For Pattern A (shared schema):
- Every API integration test that touches data, run a second variant that signs in as a different tenant and asserts 404 or 403.
- Add a CI job that runs these "cross-tenant" tests against a database with two seeded tenants. If any cross-tenant access succeeds, fail the build.
For Pattern B and C:
- Application-level testing is the same.
- Add a smoke test that asserts the connection at request time is using the right schema or database.
Common mistakes
- No RLS in shared schema. Application-level tenant scoping has gaps. RLS closes them.
- Schema-per-tenant chosen for "future isolation" without need. Operational overhead is real and immediate.
- Hard-coded tenant_id in queries. Easy to forget when adding a new table. Use a query helper that always injects it.
- Backups that aren't per-tenant-restorable when customers need them. Test restore of a single tenant. Most teams find out at incident time that they can't.
Cost considerations
Shared schema on a single Postgres handles thousands of tenants for a few hundred dollars a month at most SaaS startup volumes. Per-tenant databases at the same volume cost five to ten times more. The cost difference matters more than the isolation difference for almost every team.
How Hashorn helps SaaS teams pick the right pattern
Hashorn provides SaaS product development and product engineering services. We help teams pick the right tenancy model based on their actual customer profile, then implement it cleanly with RLS, integration tests for isolation, and a migration path to hybrid if enterprise demands it later. We pair this with security engineering for teams whose tenants have compliance requirements.
Conclusion
Multi-tenant SaaS architecture in 2026 has four patterns and most teams should pick shared-schema-with-RLS unless they have a specific reason not to. Add hybrid when the first enterprise customer demands it. Test isolation at the API level. Don't over-engineer the first thousand tenants.
Frequently asked questions
Need help building AI-powered software, QA automation, or secure cloud systems?
Talk to Hashorn's engineering team. Dedicated senior engineers, QA, and security with same-week ramp.