SaaS built for paying customers and corporate-scale tenancy.

Two named platforms still running. DM3 is our own multi-tenant monitoring SaaS, live since February 2024 across every Strata Logic client. BusinessLink runs for multiple enterprise corporate groups with hundreds of employees across multiple companies. That tenancy is the whole reason it's built multi-tenant. Same architecture pattern, two scales. Project-quoted.

Talk to us

What SaaS development actually does

Multi-tenant SaaS is what you build when one platform has to serve more than one customer with strict separation between their data. The architecture decisions get made up front: tenancy model (per-company versus per-user), how isolation is enforced (route middleware versus per-tenant database versus shared-schema-with-scoping), role hierarchy across Super Admin / Company Admin / Customer / Employee, branding overrides per tenant, batch onboarding for hundreds of users at a time, deliverability posture for transactional email. The catalogue of off-the-shelf SaaS frameworks won't carry a corporate group that wants per-company branding, hundreds of employees onboarded in one CSV upload, and a Super Admin layer that sees every company without leaking data between them. The parts nobody demos are what make the platform credible for paying customers: token rotation, audit trails the GDPR/POPIA reviewer reads, rate-limited public endpoints, and a sound deliverability posture.

Engagements

DM3

Strata Logic's own SaaS monitoring platform. Aggregates 10+ external APIs into a unified dashboard for every client website; live since February 2024. Laravel 11 + Livewire 3 + PostgreSQL. Per-tenant data isolation enforced by user-property middleware. Spatie Permission across Admin / Reseller / Client. 21 database models, 25 Livewire components.

BusinessLink

Multi-company digital business card platform serving multiple enterprise corporate groups. QR + NFC delivery; batch CSV import for hundreds of employees per group; Laravel 11 + Livewire 3. Super Admin / Company Admin / Employee role hierarchy via Spatie Permission; data isolation enforced at the query level; branding overrides per company. The multi-tenant architecture is the whole reason the platform exists.

How we approach SaaS projects

  • 1. Discovery

    Tenancy model decided early: single-tenant, multi-tenant per company, multi-tenant per user. Three different shapes; getting this wrong is what kills SaaS rebuilds two years in. Stakeholder workshops covering: who's paying, who's using, who sees what, who can act on whose data, and what regulatory scope the platform operates under.

  • 2. Architecture

    Tenancy enforcement strategy named: route-layer middleware, per-tenant DB connections, or shared schema with eager-scoping. Role hierarchy designed against the actual organisational shape (corporate groups need at least 3 tiers: Super Admin, Company Admin, Employee). Authentication strategy (Jetstream + 2FA + Sanctum for API tokens) and authorisation (Spatie Permission with route-level guards). API surface scoped: webhooks-out, public read endpoints with rate limits, admin-only internal endpoints.

  • 3. Integration

    External APIs the platform aggregates (DM3 aggregates 10+: Google Analytics, Search Console, PageSpeed, Facebook Ads, SSL, DMARC, WHOIS, uptime, cPanel). Each integration gets a caching strategy (per-website cache keys with TTLs sized to the data: 1 hour for cPanel email, 24 hours for SSL/WHOIS/DMARC) and a get/put pattern that doesn't lock failed API calls into the dashboard. Webhooks-in (for incoming notifications) get a dedicated queue and retry posture.

  • 4. Handover

    Per-role training (Super Admin / Company Admin / Employee). Documentation covering the tenancy model, the data isolation guarantee, and the runbook for adding new tenants in production. Operational handoff includes the monitoring posture: uptime checks, error rates per tenant, queue depth, cache hit ratios. Cutover is scheduled against the corporate calendar (never month-end, never the day before an audit).

  • 5. Maintenance

    Separate enterprise retainer. Quarterly tenancy-isolation audit to confirm no leaks have been introduced through new features. Patch cycles scheduled per-tenant when impact is per-tenant, platform-wide when impact is structural. DM3 has been running on this maintenance posture since February 2024.

Common questions about SaaS development

What scale of multi-tenancy do you handle?
BusinessLink serves multiple enterprise corporate groups, each with multiple companies and hundreds of employees per company onboarded via batch CSV import. DM3 runs the entire Strata Logic client book; every client website we manage is a tenant. The scale isn't "Series-A SaaS" scale; it's "the entire operations of corporate groups" scale. Either end works; we've shipped both.
How is tenant isolation enforced?
Default approach is user-property middleware on every tenant-scoped route. The middleware checks the authenticated user's tenancy before any data fetch happens, so isolation is enforced before the data layer is touched. Spatie Permission handles the role hierarchy on top. BusinessLink enforces isolation at the query level via global scopes; DM3 enforces it via route middleware. Both work; the choice depends on how often the platform needs to break tenancy for legitimate admin operations.
Do you build the billing layer?
We integrate with billing systems; we don't build payment infrastructure from scratch. For platforms with paying customers, we'll integrate Stripe, PayFast (the SA-local default), or whichever billing provider the customer already uses. The billing layer is a separate engagement scoped after the core platform is shipped.
What's the stack?
Laravel 11 + Livewire 3 + Spatie Permission across both DM3 and BusinessLink. PostgreSQL for DM3; BusinessLink uses base64 asset storage in the application database so logos and QR codes are self-contained (one deployment, one backup target, no external file storage to provision). Jetstream + Sanctum for auth. QRCode.js client-side for BusinessLink's QR generation. The stack is intentionally boring. A boring stack means boring maintenance.
How do batch onboarding flows work?
CSV import with real-time progress tracking. BusinessLink onboards hundreds of employees in a single CSV upload. The platform processes each row, creates the user record, generates the digital profile and QR code automatically, and shows progress on screen as it runs. No row-by-row admin work after the upload completes. Same architecture would handle paying-customer onboarding at similar scale.
What about security?
2FA on admin accounts via Jetstream. CSRF protection on every state-changing request. Rate-limited public endpoints (5 login attempts per minute per email+IP on BusinessLink). PNG upload validation by magic bytes, not just file extension. Audit-grade logging on every tenant-scoped action. Token rotation on API surfaces. The security posture is part of the architecture, not bolted on at the end.

Two multi-tenant SaaS platforms in production. DM3 is our own, live since February 2024, aggregating ten-plus external API integrations into a single dashboard per client. BusinessLink runs for multiple enterprise corporate groups, each handling hundreds of employees across multiple companies with per-company branding and batch CSV onboarding. Multi-tenancy at scale isn't a feature you bolt on; it's the architecture you start from. Both platforms have been running through every patch cycle the team has shipped. No churn, no second-quarter rewrite.

Smaller scope? See custom web development →

Got a SaaS to scope?

Talk to us