GitHub
Platform Engineering · Multi-tenant SaaS Governance

Multi-tenant isolation,
blast-radius mapped, audit-chained.

30 synthetic tenants across T1 Enterprise / T2 Mid / T3 SMB tiers · 6 boundary-anomaly patterns · isolation control matrix · ed25519-signed cross-tenant audit chain. The buyer-diligence surface that B2B SaaS vendors hand to enterprise procurement.

30Total tenantssynthetic Helix Cloud Platform
8T1 Enterprisededicated DB + RLS
1RLS-missing tenantsblast radius = SHARED
9Open audit findingscross-tenant access events

Tenant inventory — Helix Cloud Platform

30 synthetic tenants across T1 Enterprise / T2 Mid / T3 SMB tiers. 1 tenant is RLS-missing (Mariner Coffee — critical), 1 tenant is partial-RLS (Zenith). 4 audit findings currently open across cross-tenant access events, token replay, DR-drill mount, partial RLS.

TenantTierBlast radiusIsolation controlsStatusUsersFindings
AcmeCorp IndustriesT1 EnterpriseDedicatedDedicated DB + dedicated schema + RLSComplete4,421
Globex HoldingsT1 EnterpriseDedicatedDedicated DB + dedicated schema + RLSComplete8,712
Northwind FederalT1 EnterpriseDedicatedDedicated DB + dedicated schema + RLS + dedicated KMSComplete12,104
Pinnacle Health SystemsT1 EnterpriseDedicatedDedicated DB + RLS + HIPAA-aligned encryption boundaryComplete6,809
Quincy MaritimeT1 EnterpriseDedicatedDedicated DB + dedicated schema + RLSComplete3,122
Ravenwood DefenseT1 EnterpriseDedicatedAir-gapped dedicated infra + dedicated network segmentComplete1,804
Sapphire InsuranceT1 EnterpriseDedicatedDedicated DB + RLSComplete4,9881 open
TriCity BankT1 EnterpriseDedicatedDedicated DB + RLS + dedicated KMSComplete7,211
Vector Bio DiagnosticsT2 MidSchema-isolatedShared DB + per-tenant schema + RLSComplete2,104
Whitestone PharmaT2 MidSchema-isolatedShared DB + per-tenant schema + RLSComplete1,772
Yellowstone LogisticsT2 MidSchema-isolatedShared DB + per-tenant schema + RLSComplete988
Zenith ManufacturingT2 MidSchema-isolatedShared DB + per-tenant schema + partial RLSPartial RLS1,1451 open
Apex Sports MediaT2 MidSchema-isolatedShared DB + per-tenant schema + RLSComplete612
Beacon EnergyT2 MidSchema-isolatedShared DB + per-tenant schema + RLSComplete1,488
Citadel HospitalityT2 MidSchema-isolatedShared DB + per-tenant schema + RLSComplete778
Delta Legal HoldingsT2 MidSchema-isolatedShared DB + per-tenant schema + RLS + privilege-tierComplete411
Edenfield Real EstateT2 MidSchema-isolatedShared DB + per-tenant schema + RLSComplete644
Fenway Education NetworkT3 SMBShared-prefixShared DB + shared-prefix onlyShared-prefix only1222 open
Granite TradeT3 SMBShared-prefixShared DB + shared-prefix onlyShared-prefix only881 open
Highland Property CoT3 SMBShared-prefixShared DB + shared-prefix onlyShared-prefix only67
Indigo StudiosT3 SMBShared-prefixShared DB + shared-prefix onlyShared-prefix only144
Junction RoboticsT3 SMBShared-prefixShared DB + shared-prefix onlyShared-prefix only92
Karma Wellness CoT3 SMBShared-prefixShared DB + shared-prefix onlyShared-prefix only781 open
Lyric BookstoresT3 SMBShared-prefixShared DB + shared-prefix onlyShared-prefix only41
Mariner CoffeeT3 SMBShared-prefixShared DB + shared-prefix only — RLS DISABLEDRLS MISSING883 open
NovaWave ApparelT3 SMBShared-prefixShared DB + shared-prefix onlyShared-prefix only56
Olympia Print CoT3 SMBShared-prefixShared DB + shared-prefix onlyShared-prefix only39
Plumeria Spa GroupT3 SMBShared-prefixShared DB + shared-prefix onlyShared-prefix only67
Quanta Auto PartsT3 SMBShared-prefixShared DB + shared-prefix onlyShared-prefix only78
Riverstone BistroT3 SMBShared-prefixShared DB + shared-prefix onlyShared-prefix only22

Boundary anomalies — 6 patterns

B2B SaaS multi-tenant isolation fails in 6 distinct ways: RLS removed during a migration, partial RLS on newer tables, cross-tenant queries by privileged support staff, JWT replay across tenants, shared resources without per-tenant namespacing, and DR-drill cross-mounts.

RLS missing — shared DB exposure

Mariner Coffee · row-level security disabled

Mariner Coffee (T3 SMB) is on the shared SaaS DB cluster with shared-prefix isolation BUT row-level-security policy was removed during a recent migration. Any application bug or SQL injection could surface cross-tenant rows. Re-enable RLS within 24h.

SOC 2 CC6.1Blast radius CRIT3 findings open
Partial RLS — gap in enforcement

Zenith Manufacturing · 4 of 9 tables missing RLS

Zenith Manufacturing has RLS on critical tables (customers, invoices, payments) but 4 newer tables (telemetry events, feature flags, audit logs, billing notifications) were created without RLS. Backfill RLS policies + add CI gate.

SOC 2 CC6.1ISO 27001 A.13
Cross-tenant data-access event

Internal admin queried wrong tenant rows

Internal support admin support-eng@helix.cloud queried AcmeCorp customer table via shared support tool but session context was for Globex. SOC 2 CC6.7 violation. Auto-escalate + force re-justification.

SOC 2 CC6.7Lateral accessOpen finding
Token reuse across tenants

JWT issued for T1 reused on T2 endpoint

Single JWT issued for Northwind Federal session was replayed against Zenith Manufacturing API endpoint. Token validation accepted because tenant_id wasn't bound to JWT payload. Add JWT aud claim binding + reject mismatched tenant.

OWASP A01:2021Token replayBoundary breach
Shared resource without isolation

Redis cluster shared without per-key namespacing

Cache layer (Redis Cluster, 4 nodes) is shared across all T3 SMB tenants without per-tenant key namespacing. Keys like session:user_42 can clash. Surface as audit finding even if no exploit observed — failure mode is silent data poisoning.

ISO 27001 A.13.1Architecture risk
Backup snapshot cross-mount

T2 backup mounted in T1 restore drill

During DR drill, a Whitestone Pharma (T2) backup snapshot was accidentally mounted into Pinnacle Health Systems (T1) staging environment for 14 minutes before being unmounted. No data was queried but the mount event is in the audit chain. HIPAA-relevant for Pinnacle.

HIPAA §164.312(a)(1)DR drill14-min exposure

Isolation control matrix

Each isolation control has a binary state (active/missing) and a coverage scope (which tenants are protected). T1 Enterprise gets the full stack — dedicated DB, dedicated KMS, dedicated VPC peering. T2 Mid gets schema-level isolation + RLS. T3 SMB gets RLS + shared-prefix only. The gap that becomes a buyer finding is when T3 isolation degrades silently (a missing RLS policy on a new table, a Redis cluster without namespacing).

ControlStatusCoverageRefresh / SLANote
RLS policy on tenants_isolation_checkActive32 tenants · 30 enforcedRefresh interval 60sAll Tier1+Tier2 PASS
JWT tenant_id bindingActiveall sessions auditedLast incident 14d ago1 false positive in 30d
Per-tenant KMS keyT1 Only8/8 T1 tenantsT2/T3 use shared KMS
Network segmentation (VPC peering)T1 Only8/8 T1 tenantsRefresh on tenant changeT2/T3 share single VPC
Per-tenant audit-streamActive30/30 tenants<1s lag p99ed25519-signed
Cross-tenant access alertsActive1 open findingTrigger: same JWT, 2 tenant_idAuto-PagerDuty
Tenant deletion grace (30d)Active0 in graceTombstone + scheduled purge
Shared resource namespace checkPartialRedis MISSINGCI gate availableFix in roadmap

Tenant boundary audit chain

Every event that touches a tenant boundary — RLS policy missing, cross-tenant access, token replay, DR-drill mount, KMS rotation, VPC peering validation, tenant lifecycle — is hash-chained. Buyer-side diligence teams can verify the chain in their own environment via the audit_chain_verify MCP tool.

Audit chain · Every cross-tenant access (intended or accidental) becomes a verifiable event. ed25519-signed.
2026-06-02T15:12:48Ztenant.boundary.cross-access-detectedsupport-eng → AcmeCorp rows while session=Globex…c2a811
2026-06-02T15:08:22Ztenant.isolation.rls-policy-missingMariner Coffee · customers table…f409a1
2026-06-02T14:55:01Ztenant.isolation.token-replay-blockedJWT from Northwind → Zenith API endpoint…8b2204
2026-06-02T14:48:13Ztenant.boundary.dr-mount-eventWhitestone backup mounted to Pinnacle stage (14min)…1d77c0
2026-06-02T14:31:42Ztenant.isolation.policy-appliedZenith Manufacturing · RLS on telemetry_events…a4b8e2
2026-06-02T14:11:09Ztenant.audit.kms-rotationNorthwind Federal · dedicated KMS key rotated…5e9c11
2026-06-02T13:42:51Ztenant.isolation.vpc-peering-validatedPinnacle Health · dedicated VPC verified isolated…f1024a
2026-06-02T13:18:08Ztenant.lifecycle.created(new) Indigo Studios provisioned at T3 SMB tier…2d09bc

Why this surface exists

When an enterprise buyer evaluates a multi-tenant B2B SaaS vendor, the question is no longer are you SOC 2 Type II — that's table stakes — it's show me the evidence that another tenant's bug or insider cannot reach my data. This surface is the vendor's pre-built answer to that question, in the same shape as the Trust Center evidence rooms and Security Posture public artifacts.

Buyer: B2B SaaS CTOs · Platform leads · CISOs at vendors selling to enterprise buyers who run vendor-isolation diligence.

Regulatory anchors: SOC 2 Type II CC6.1/CC6.6/CC6.7 · ISO 27001 A.13.1 · NIST 800-53 SC-4/SC-7 · GDPR Art 32 · CCPA · HIPAA Security Rule §164.312(a)(1) · PCI DSS scope segregation.

KG Suite tie-back: Every operator decision on this surface emits an audit-stream event (hash-chained, ed25519-signable). Vault-contract data classification follows the Decision Card v0.3 pattern (data_vault_targets + retention_envelope). Incident escalations match the AI Incident Card profile shape. Evidence bundles align with the AI Evidence Format spec.

Static-only doctrine: No backend. No login. No telemetry. All synthetic data is baked into this HTML page as JavaScript constants. Nothing leaves the tab. Frame as readiness / evidence / posture / controls / scaffolding — never "compliant" or "certified" without an externally-attested audit.