If you run billing for other companies, you hold the most sensitive data they have: what they charge, who they charge, and how much money moves. Multi-tenant means that data sits in shared infrastructure. The whole job is making sure one tenant can never see another's.
Isolation is enforced server-side, not by the client
Your organization identity is set server-side at the gateway and forced into every database query. Clients never assert their own org, so one tenant cannot read another's data.
That's the load-bearing sentence, so it's worth unpacking what it does and doesn't claim. The org a request belongs to is decided at the gateway from the authenticated session — not read from anything the client sends. Every query the service issues is then filtered by that gateway-injected org. A caller cannot widen their own scope, because they never get to state their scope in the first place.
Identity and access
Sign-in is OIDC + PKCE via Zitadel, with server-side sessions, signed tokens, and hardened cookies. On top of gateway-enforced identity, relationship-based permissions — the Google-Zanzibar model — separate platform, tenant, and organization roles before any privileged action.
Secrets and transit
Vault is the single source of truth for secrets; they reach services only through Kubernetes secret references, and no credentials live in source control. TLS secures every request at the gateway.
Two honest notes, because the details matter. Transport security is TLS at the gateway — that's the boundary we terminate. And key rotation today is a manual re-mint, not an automated schedule. We'd rather state that than imply more.
Where we are on compliance
On certifications — SOC 2, PCI-DSS, ISO 27001, HIPAA — not yet. We're early, and these are on the roadmap. Ask us where we are and we'll tell you straight.
Run it inside your own boundary
If shared infrastructure isn't acceptable for your data, you can run Summance fully on-prem, where every data component stays inside your network and financial data never leaves your infrastructure.
The full security story is on the Security page .