Per‑tenant isolation, by design.
Separate databases, queues, and storage for every customer—clear data boundaries for privacy, performance, and compliance.
What "isolation" means here
Separate Database
PostgreSQL schemas/DBs per tenant with strict connection scoping.
Dedicated Queues
Redis queues per workflow; cross‑tenant traffic cannot mix.
Segregated Storage
Object storage with bucket/prefix strategy and signed access.
Tenant‑scoped Config
SMTP, OAuth, LLM keys, and retention policies per tenant.
Why it matters
Reduces blast radius, simplifies audits, and supports data‑residency commitments.
Architecture Overview
Requests hit the API, which resolves the tenant from subdomain and issues tenant‑scoped connections to DB/Redis/Storage. Workers subscribe to tenant‑specific queues. SSE streams are tenant‑bound for live status. Admin actions are audit‑logged without PII.
Client
Edge/Router
API
Tenant DB
PostgreSQL
Tenant Redis
Queues & Cache
Tenant Storage
Object Storage
Workers
Tenant Queues → SSE
Security Controls (TOMs)
🔐 Auth & RBAC
Tenant roles (Admin/Recruiter/User); enforced per request.
🛡️ Network Safety
SSRF protection, input validation, rate‑limiting; TLS everywhere.
🔒 Encryption
AES‑256‑GCM at rest; AES‑256‑CBC for credentials; HMAC state signing for OAuth.
📋 Logs
No PII in logs; audit trail at 70+ points with retention policies.
Data Lifecycle & Retention
Configurable Retention
30–365 days (configurable)
Nightly Purge
Automated removal of expired CV data
Right to Erasure
Covers primary data and attachments
BYO‑LLM Routing
🔒 Data Control
We never send data to a model unless you configure a provider.
🌍 Provider Choice
You choose provider and region (OpenAI, Anthropic, Groq, or local via Ollama for on‑prem).
🔍 PII Protection
Prompts minimize PII; redaction available before prompt.
Note: Air‑gapped installs run local models only.
Operations & Scale
Automated Provisioning
Subdomain routing and tenant setup
Resource Controls
Connection pools, worker concurrency per tenant
Health & Metrics
Monitoring at tenant and worker level
Compliance Mapping
Quick references
GDPR Art. 5(1)(c) Minimisation
PII‑light prompts; no PII in logs.
Art. 25 Privacy by Design
Isolation boundaries and default protections.
Art. 32 Security of Processing
Encryption, RBAC, rate‑limits, SSRF protections.
Art. 30/44 Transfers
BYO‑LLM gives regional control of model traffic.
Frequently Asked Questions
Is data ever co‑mingled across tenants?
No—separate DB/queues/storage.
Can we choose data region?
SaaS: EU‑friendly options. On‑prem: your infrastructure.
How do you audit access?
Every admin action is logged (no PII) and attributable to a user and tenant.
Does isolation affect performance?
Positively—no noisy‑neighbor effect across tenants.
Ready to see it in action?
Experience per-tenant isolation and enterprise security controls.