Multi-Tenancy
The ability of software to manage multiple legally separate organisations (tenants) within a single system with strict data separation.
Multi-tenancy describes a software architecture in which a single application instance serves multiple independent customers — referred to as tenants — while ensuring complete logical separation of their data and configurations. Each tenant has their own dedicated data space, user management, and settings, but all tenants share the same underlying infrastructure and application code. This model enables efficient resource utilisation and centralised maintenance without compromising the privacy or security of individual tenants.
In the context of compliance software, multi-tenancy is particularly significant because it allows organisations such as consulting firms, corporate groups, or franchise networks to manage multiple legally separate entities within a single platform. Each entity (tenant) can maintain its own compliance documentation, risk registers, policies, and audit trails — completely isolated from other tenants. The system administrator can manage all tenants from a central console while each tenant's users only see their own data.
Multi-tenancy must be distinguished from simple user-role separation. In a truly multi-tenant architecture, the data isolation is enforced at the technical and architectural level — not merely through access controls. This is essential for GDPR compliance when personal data of employees from different companies is processed in the same system. A robust multi-tenant compliance platform provides the foundation for shared service centre models, law firm tools, and holding company structures where compliance management is centralised but operationally separated.
Legal Basis
GDPR Art. 25 (Data protection by design), Art. 32 (Security of processing); ISO 27001 (Access control, A.9); BSI IT-Grundschutz (SYS and APP modules)
Practical Example
A compliance consulting firm advises ten mid-sized clients on GDPR and information security compliance. Rather than maintaining ten separate software instances, the firm uses a multi-tenant compliance platform. Each client is set up as an independent tenant with their own branding, user accounts, and data rooms. The firm's consultants can switch between tenants using a central dashboard, while each client's employees only access their own tenant. When a client requests a data export for a regulatory audit, the platform generates a report that contains only that client's data — with no risk of cross-contamination with other tenants' information.