Designing Multi-Tenant Architecture for a Travel SaaS

The multi-tenant challenge

When we decided to package Roukit as a SaaS product, the biggest architectural decision was multi-tenancy. Each customer needs to feel like they're running their own platform — their own domain, their own branding, their own data — while sharing the same underlying infrastructure.

This is harder than it sounds, especially for a platform that handles payments, personal data, and supplier relationships.

Our approach: shared infrastructure, isolated data

We chose a shared-database, isolated-data model using PostgreSQL Row-Level Security (RLS). Every table that contains tenant-specific data has an RLS policy that filters by tenant ID. This means:

• Queries are automatically scoped — application code doesn't need to remember to filter by tenant. The database enforces it.
• Cross-tenant data leaks are structurally impossible — even if application code has a bug, RLS prevents one tenant from seeing another's data.
• Shared tables work naturally — reference data like countries, currencies, and activity categories are shared across tenants without duplication.

White-label branding

Each tenant can configure:

• Custom domain — their marketplace runs on their own domain, not a Roukit subdomain.
• Brand colors and logo — the entire UI adapts to the tenant's brand identity.
• Email templates — transactional emails come from the tenant's domain with their branding.
• Content and copy — landing pages, category names, and marketing copy are tenant-specific.

The rendering layer detects the tenant from the incoming domain and applies the correct configuration before any page renders. This happens at the edge, so there's no performance penalty.

Payment isolation

Each tenant connects their own Stripe or PayPal account. Payments flow directly from the traveler to the tenant — Roukit never holds customer funds. This simplifies compliance and gives tenants full control over their revenue.

Platform fees are handled through Stripe Connect, which manages the split between the tenant's revenue and Roukit's platform fee automatically.

What we learned

The biggest lesson: multi-tenancy decisions are hard to change later. Getting RLS policies, domain routing, and payment isolation right from the start saved us from painful migrations. If you're building a SaaS product that handles sensitive data, invest in tenant isolation early. The cost of retrofitting is much higher than building it in from day one.