Arinit
Arinit

Legal & Compliance

Multi-Tenant SaaS Platform

Designed and built a multi-tenant document management SaaS from scratch. Row-level security, real-time collaboration, and SOC 2 compliance.

webNext.jsSupabasePostgreSQLTypeScriptStripeS3
0+
Tenant orgs (In first 6 months)
SOC 2
Compliant (Type II audit passed)
0%
Uptime (Since launch)
0 weeks
MVP to launch (Including compliance)

The challenge

The client needed a secure document management platform for regulated industries — law firms, accounting practices, and healthcare providers. Multi-tenancy was critical: each organization's data must be completely isolated, with SOC 2 Type II compliance as a launch requirement.

The platform needed real-time collaboration (multiple users editing documents simultaneously), granular role-based access control, and a billing system supporting per-seat pricing with annual contracts.

Our approach

We designed a PostgreSQL Row-Level Security (RLS) multi-tenancy model — tenant isolation at the database level, not just the application level. Every table has RLS policies ensuring queries can only access the current tenant's data, even if application code has a bug.

For real-time collaboration, we leveraged Supabase Realtime for presence awareness and Tiptap for collaborative rich-text editing with conflict resolution.

Key technical decisions:

  • Supabase with PostgreSQL RLS for database-level tenant isolation
  • Tiptap Editor for collaborative document editing with real-time sync
  • Chose NOT to build our own auth — Supabase Auth with SAML SSO for enterprise tenants
  • Per-seat Stripe billing with metered usage for storage overage

What we built

A SOC 2 compliant document management platform serving 200+ organizations:

  • Multi-tenant architecture with PostgreSQL RLS (zero cross-tenant data leaks)
  • Real-time collaborative document editor with presence indicators
  • Role-based access: Owner, Admin, Editor, Viewer with granular permissions
  • Per-seat Stripe billing with annual contracts and storage metering
  • Full audit trail logging every document access, edit, and share
  • SAML SSO integration for enterprise clients
  • Automated backup with point-in-time recovery

Technology stack

Frontend

Next.js 14React 18TypeScriptTailwind CSSTiptap Editor

Backend

SupabasePostgreSQL (RLS)Edge FunctionsStripeResend

Infrastructure

Supabase CloudAWS S3CloudFrontVercelGitHub Actions

Timeline

Week 1-3

Architecture

Multi-tenancy strategy, RLS policies, auth flows, compliance requirements.

Week 4-8

Core Platform

Document management, real-time collaboration, role-based access control.

Week 9-11

Billing & Admin

Stripe billing with per-seat pricing, admin dashboard, audit logging.

Week 12-14

Security & Compliance

Penetration testing, encryption at rest, audit trail, SOC 2 preparation.

Week 15-16

Launch

Beta program with 20 orgs, feedback iteration, public launch.

Key learnings

PostgreSQL RLS was more powerful than application-level tenancy

Row-level security at the database layer means even a bug in application code can't leak data between tenants. We set current_setting('app.tenant_id') in every request and RLS policies handle the rest. Zero cross-tenant data leaks since launch.

Supabase Realtime made collaboration features trivial

Implementing real-time document presence (who's viewing what) and live cursor positions took 2 days instead of the 2 weeks we estimated. Supabase's Realtime channels + Broadcast handled the complexity.

Next case study

E-Commerce Performance Rescue

E-Commerce

Start a conversation about your project.

Book a Call