Safe Boundary / Solutions / Multi-Tenant SaaS
Multi-tenant SaaS
Prevent tenant data leakage at the database layer
Safe Boundary enforces row-level security per tenant, per query, in real time — at the proxy layer, not inside PostgreSQL. Same isolation guarantees. No RLS performance penalty. Automatic injection of missing tenant conditions.
Stack diagram — SaaS app (multi-tenant auth) → Safe Boundary proxy (tenant injection) → PostgreSQL
Spectral Core — Established 2004 · Microsoft Partner · Google Partner · ISO 27001 Certified
Tenant isolation is the hardest problem in multi-tenant SaaS
One tenant seeing another's data is a company-ending event. It almost never happens because of
a malicious actor — it happens because a developer forgot WHERE tenant_id = ?, or an AI agent generated SQL without tenant
context, or a new engineer missed the convention.
PostgreSQL's native RLS is the right concept but painful at production scale — sequential scans, 11x+ degradation, timeouts on multi-table joins. Teams disable RLS and trust the app layer — where leaks happen.
-- RLS in dev looks fine; in prod it evaluates per row:
CREATE POLICY tenant_isolation ON orders
USING (tenant_id = current_setting('app.tenant_id')::uuid);How Safe Boundary enforces tenant isolation
Proxy-layer RLS
Safe Boundary injects the tenant condition before PostgreSQL. The planner sees a normal WHERE and uses indexes.
-- Application or AI agent sends:
SELECT * FROM orders WHERE status = 'pending'
-- Safe Boundary rewrites to:
SELECT * FROM orders
WHERE status = 'pending'
AND tenant_id = '8f3a2c91-...' -- from authenticated sessionMissing tenant condition detection
Query touches a multi-tenant table but has no tenant filter? Choose: auto-inject, block with a clear error, or alert (audit-only rollout).
Missing index detection
Inspect plans for tenant-scoped queries; get the exact CREATE INDEX before production
pain.
Benchmark
| Scenario | PostgreSQL native RLS | Safe Boundary proxy RLS |
|---|---|---|
| 1M rows, tenant filter | 340 ms | 28 ms |
| 10M rows, 1,000 tenants | Timeout | 31 ms |
| 3-table join, RLS on all | Timeout | 44 ms |
Internal benchmarks. Hardware: 4 vCPU / 16 GB RAM PostgreSQL 16. Results vary by query complexity and data distribution.
Safe Boundary is the rare security product that makes your database faster.
AI agents and multi-tenancy
An LLM that gets tenant scope right 99% of the time will eventually emit an unscoped query. Safe Boundary enforces deterministically at the database — every query, every time.
First-class AI agent identity
Named agents with scoped policies — example configuration:
agent: recommendation-engine
allowed_tables:
- products (SELECT)
- order_history (SELECT)
- users (SELECT: id, tier)
tenant_scope: enforced
max_rows_per_query: 500Violations: blocked. Allowed queries: full audit — agent, tenant, outcome.
Pricing for Multi-Tenant SaaS
| Shield | Pro | Enterprise | |
|---|---|---|---|
| Price | $149/db/mo | $499/db/mo ($4,490/db/yr) | $899/db/mo ($8,490/db/yr) |
| Tenant isolation | Block-only | ✓ Proxy RLS | ✓ Proxy RLS |
| Tenant condition auto-inject | — | ✓ | ✓ |
| Missing index detection | — | ✓ | ✓ |
| AI agent identity | — | ✓ | ✓ |
| VPC deployment | — | ✓ | ✓ |
| SOC 2 evidence | — | — | ✓ |
Start path: Shield for SQL injection blocking. Pro for proxy-layer RLS and tenant enforcement. Enterprise for 10+ databases or SOC 2. Expansion revenue follows tenant and database growth.