Schema-per-tenant vs shared-schema, data residency choices, SAS-token blob access — the architecture decisions behind PeopleVizio, from our CTO.
We chose schema-per-tenant on PostgreSQL (Azure Flexible Server) after evaluating shared-schema, separate-database, and fully-isolated-tenant options.
Schema-per-tenant gives us the right trade-off: strong logical isolation, efficient shared pooling, per-tenant backups, and a clean mental model. Domain-based tenant resolution via HTTP header routing keeps application code tenant-agnostic.
Blob storage uses SAS tokens scoped by tenant path, with short TTLs. This way, even a compromised web-tier can't access cross-tenant documents — the token simply isn't valid for another tenant's path.