1.2.1 Tenants — Isolation, Domains, and Data Boundaries
Praisma Hub is designed as a multi-tenant, enterprise-grade SaaS platform. Each tenant represents a fully independent customer environment, typically corresponding to a municipality, public organization, agency, or enterprise client. The tenant is the highest isolation boundary within the platform and forms the foundation for security, compliance, scalability, and operational governance.
This section explains how tenants are defined, how isolation is enforced across technical layers, how domains are resolved, and how strict data boundaries are guaranteed at all times.
Tenant Definition and Scope
A tenant in Praisma Hub is a logically and technically isolated environment that contains everything required for an organization to operate independently within the shared platform infrastructure.
Each tenant includes:
A dedicated database or database schema, depending on deployment strategy
An isolated file storage namespace for media, documents, exports, and backups
Tenant-specific configuration, quotas, and feature entitlements
Its own users, roles, permissions, and internal organizations
Its own CMS content, analytics data, inbox messages, surveys, workflows, and logs
Although all tenants share the same application codebase and infrastructure, no application-level data is shared between tenants. All business data is strictly scoped to the active tenant context.
This design allows Praisma Hub to safely host multiple municipalities or organizations on shared infrastructure without risking data leakage or unauthorized access.
Tenant Isolation Model
Tenant isolation in Praisma Hub is enforced through multiple complementary layers. Isolation is not dependent on a single mechanism but is embedded throughout the platform architecture.
Application-Level Isolation
At the application layer, every incoming request is resolved within an explicit tenant context. This context is determined using:
The incoming domain or subdomain
The authenticated user session and its tenant binding
Tenant resolution middleware and routing rules
Once the tenant context is resolved:
All database queries are automatically scoped to the active tenant
All service modules (CMS, Media Center, Inbox, Analytics, Planner, Datacenter, etc.) operate strictly within that tenant
Background jobs, queues, scheduled tasks, and event handlers execute with tenant awareness
Architectural conventions and shared base traits ensure that developers cannot accidentally access data belonging to another tenant.
Database Isolation
Praisma Hub supports both tenant-per-database and tenant-per-schema models, depending on scale, hosting strategy, and compliance requirements.
Key characteristics include:
Each tenant’s data is stored in a fully isolated database or schema
No foreign keys, joins, or implicit references exist across tenants
Backups, restores, imports, and exports are executed on a per-tenant basis
Data retention, deletion, and archival policies can be applied per tenant
This model aligns with public-sector and enterprise requirements for data sovereignty, auditability, and compliance with AVG/GDPR.
Storage Isolation
All file-based assets in Praisma Hub are isolated per tenant, including:
Uploaded media assets such as images, documents, and videos
Generated files such as reports, exports, and PDFs
Backup archives and long-term storage snapshots
Temporary processing and cache files
Each tenant operates within its own storage namespace or bucket prefix. Access credentials, signed URLs, and lifecycle rules are scoped accordingly.
Domain and Access Model
Tenants in Praisma Hub are accessed through dedicated domains. The platform supports multiple domain strategies:
A central application domain (for example app.praismahub.com) for authenticated editorial and administrative access
Tenant-specific subdomains (for example municipality.praismahub.com)
Custom domains owned by the tenant (for example www.municipality.nl) for public-facing websites
Domains are used to:
Resolve and enforce the correct tenant context
Apply correct session and cookie scoping
Separate public website traffic from administrative access
Support secure authentication and authorization flows
Typically, public websites are served via tenant-specific or custom domains, while administrators and editors access the system through the central application domain.
Data Boundaries and Guarantees
A core design principle of Praisma Hub is strict data boundary enforcement. This guarantees that:
Content created within one tenant is never visible to another tenant
Users belong to a single tenant unless explicitly granted cross-tenant administrative privileges
Analytics, inbox messages, surveys, logs, and reports are fully tenant-scoped
Configuration, settings, feature flags, and quotas are isolated per tenant
This enables independent onboarding and offboarding, tenant-specific audits, and safe parallel operation of multiple organizations.
Tenant Lifecycle Management
Each tenant in Praisma Hub follows a clearly defined lifecycle:
Provisioning – Creation of the tenant environment, database, storage, and baseline configuration
Configuration – Domain setup, feature activation, role assignment, and quota configuration
Operation – Daily usage by editors, administrators, and automated platform processes
Scaling – Adjustment of storage limits, performance characteristics, or enabled modules
Archival or Decommissioning – Secure export, backup retention, and controlled removal at contract end
This lifecycle approach ensures predictable operations and clear contractual boundaries.
Compliance and Governance
The tenant architecture directly supports common government and enterprise compliance requirements:
AVG/GDPR – Data ownership, isolation, retention, and deletion guarantees
BIO / ENSIA – Controlled access boundaries and auditable environments
WCAG governance – Tenant-level responsibility for accessible content
Archiving obligations – Tenant-scoped exports and long-term preservation
Because tenants are fully isolated, audits and assessments can be performed per tenant without impacting others on the platform.