SHAPING
isolating tenant context

Multi-tenant, done the hard way. On purpose.

Physical database isolation per customer, row-level security enforced in CI, immutable audit, and region pinning at the infrastructure layer. Four sketches of how it actually fits together.

Isolation Physical
Orchestrator Coolify
SOC 2 Type I Q3 2026
09 · Compliance

The tenancy model, in four views.

Sketch 01 · Architecture layers

A stack view. The founder talks to Shakeeb. Shakeeb talks to the control plane. The control plane asks Coolify to spin up a real Postgres, owned by one customer, living on its own. No tenant_id column. No shared schema.

Layer 1 · Founder Human builder · talks to Shakeeb in natural language Layer 2 · Gnesis control plane Shakeeb orchestration · auth · tenant resolver · billing Every request enters here. Tenant is bound to the JWT. Nothing downstream runs without tenant context. Layer 3 · Coolify provisioner Infrastructure control plane · provisions, migrates, backs up per-tenant DBs New customer signs up. Coolify spins up a dedicated Postgres instance, in the right region, with its own credentials. Layer 4 · Per-tenant Postgres fleet · physical isolation TENANT_A TENANT_B TENANT_C TENANT_D TENANT_E one DB per customer pinned to region
Cream band · cream content surface
Ink · control plane + DB core
Sky · infrastructure layer
Stone · boundaries

Sketch 02 · Request flow

A single request, followed end to end. The tenant is resolved once, attached to the session, and enforced twice: once at the application query layer, and again at the database with row-level security. The CI gate makes sure no query slips out without tenant context.

Step 01 Request HTTPS hits Gnesis edge. JWT includes tenant_id. Step 02 Auth + resolver Verify signature. Resolve tenant. Bind to session context. Step 03 Query layer ORM attaches tenant scope. Routes to the right DB URL. Step 04 · Gate RLS policy Postgres checks current_tenant. Drops query if context missing. Step 05 Per-tenant DB Physical Postgres. No other tenant's rows exist in this DB at all. CI audit gate Rejects any query missing a tenant scope at build time. append-only Immutable audit log Tenant actions · billable events · admin changes
Green · CI audit gate
Warn · RLS enforcement point
Ink · system-of-record nodes

Sketch 03 · Region residency

Customer data is pinned to the region where it was provisioned. EU data stays in EU infrastructure. Middle East data stays in Middle East infrastructure. The control plane is shared, but it only holds metadata and routing, never customer rows.

Shared control plane · metadata only Auth · tenant registry · billing · orchestration No customer rows live here. Only which tenant, which region. EU Region · Frankfurt EU_01 EU_02 EU_03 EU_04 EU_05 more GDPR applies · right-to-be-forgotten by DB drop. Middle East Region · UAE ME_01 ME_02 ME_03 ME_04 more Data residency at infra layer · no cross-region replication. no crossing
Sky · EU region boundary
Warn · ME region boundary
Ink · shared control plane (metadata only)

Sketch 04 · Compliance overlays

Same stack, with the compliance surfaces drawn on top. Every enforcement point is wired to a control, and every control is wired to a gate in CI or deployment. SOC 2 Type I audit in Q3 2026 is evidence collection, not net-new work.

Founder Gnesis control plane Coolify provisioner Per-tenant Postgres fleet A B C D E F One Postgres per customer. Separate creds. Separate backups. Separate region. RLS audit gate · CI Query context enforced Build fails on a query that lacks tenant scope. Immutable audit log Append-only · WORM Tenant actions · billable events · admin changes. Region residency Per-DB region pin EU and Middle East supported at the infra layer. GDPR deletion Right-to-be-forgotten DB drop + export. Clean because isolation is physical. SOC 2 Type I · Q3 2026 Controls mapped to CI Evidence collection, not net-new work.
Green · CI-enforced control
Ink · system-of-record
Sky · infra-layer control
Danger · GDPR path
Tenancy + Compliance · six pillars

What backs the claim.

Per-tenant Postgres

Physical isolation, not a shared schema with tenant_id. Coolify-provisioned DB per customer.

Row-Level Security

Enforced at the database layer. Every query carries a tenant context. CI has an RLS audit gate.

GDPR deletion

Shipped workflows for right-to-be-forgotten, data export, and consent tracking.

Immutable audit log

Append-only tenant actions, billable events, admin changes.

SOC 2 Type I

Target Q3 2026. Controls already mapped to current CI and deployment gates.

Region residency

Customer data pinned per tenant DB. EU and Middle East regions supported at infra layer.

Enterprise buyers will not sign for shared-tenant AI-built apps. This is the unlock.
09 · Compliance
Confidential · 2026 Seed Round
10 / 25