Blog
Multi-tenant isolation your legal team can explain
· GoFER Team
- Architecture
- Security
- Multi-tenant
Buying AI support tools is easy. Explaining where customer data lives to your legal team is harder.
GoFER is multi-tenant by design: each customer workspace maps to isolated storage paths—not a single shared table where row-level security is the only fence.
What “multi-tenant” should mean in 2026
| Approach | Trade-off |
|---|---|
| Shared DB, shared tables | Cheap to run; painful to audit |
| Shared DB, schema per tenant | Stronger isolation; migrations must scale |
| Dedicated resources per large tenant | Maximum isolation; higher ops cost |
GoFER targets the middle path operators can explain on a whiteboard: tenant-scoped schemas and caches, with an API that never assumes a global namespace.
Stack you can reason about
The Core API is Go + Postgres + Redis—boring on purpose:
- Postgres holds conversations, contacts, knowledge chunks, and billing metadata with tenant-scoped queries.
- Redis backs real-time session state and rate limits without hammering the database.
- Open API means your internal tools, Zapier flows, or custom dashboards do not require screen-scraping an admin UI.
When a prospect asks “Can we self-host?” or “Where is data stored?”, you get crisp answers—not “trust our black box.”
Isolation is not only about storage
Isolation also means blast radius:
- A crawl job for Tenant A must not starve Tenant B’s chat latency.
- An admin action in the platform console must not leak into tenant dashboards.
- API keys and webhooks are scoped to the workspace that minted them.
GoFER’s admin surface (platform operators) and tenant surface (your customers’ teams) follow separate auth paths for that reason.
Human handoff still needs boundaries
Even perfect isolation fails if humans mishandle exports. GoFER helps with:
- Role-based access inside a workspace (who can see billing vs. chats)
- Audit-friendly conversation history
- Configurable retention and export before cancellation
Your DPA should describe your obligations as controller; our docs describe GoFER as processor acting on your instructions.
Questions to ask any vendor (including us)
- How is tenant ID enforced on every API call—not only the happy path?
- Can you show a diagram of data flow for WhatsApp → storage → CRM sync?
- What happens to data within 30 days of account closure?
- Is there a path to regional storage if you expand beyond one market?
We publish plain-language security and privacy pages for exactly these conversations.
When dedicated tenancy makes sense
High-volume or regulated customers sometimes need dedicated schemas or deployments. GoFER’s enterprise path exists for that—not because every small shop needs it, but because your largest account might.
See it in your own workspace
Spin up a free workspace, create a second test tenant if your plan allows, and confirm conversations never cross wires. That five-minute test saves weeks of vendor security theatre later.