How do you handle multi-tenancy?

Row-level security at the database, organisation IDs on every table, foreign keys that enforce the boundary. Not a WHERE clause in a server action — the data plane refuses to return another tenant's row even if the application tries. Holds up in a security review. Scales to enterprise tenants without re-architecture.

Stripe vs Paddle vs LemonSqueezy?

Stripe by default — best webhook hygiene, best dunning, best dispute flow. Paddle if you need a Merchant of Record for global VAT. LemonSqueezy for indie scale where MoR matters more than feature surface. Picked on the call, wired with real webhooks, real failed-card retries, real refunds. Not a checkout link.

Can we offer free trials and enterprise plans?

Both. Free trials with card-required or no-card, grace periods, automatic downgrade. Enterprise plans with custom pricing, invoiced billing, net-thirty terms, signed order forms. Self-serve and sales-led on the same data model. No second product to bolt on at Series B.

What about white-labelling for resellers?

Custom domains per tenant, per-tenant theming, per-tenant email sender. Resellers see their brand, end-users see the reseller. The reseller billing layer sits on top of the per-tenant Stripe customer. Audit trail tracks which seat belongs to which reseller. Built in, not bolted on.

You. Your repo, your Supabase, your Stripe, your Vercel, your domains. No Canarlo SaaS in the loop. Plain TypeScript, no proprietary runtime, no licence fees. Any competent engineer can read the diff and extend it. The whole point is you walk away from us when you no longer need us.

Solutions · SaaS · Canarlo

SaaS development by Canarlo

Next.js 16, Supabase, TypeScript. Multi-tenant from the first commit. Stripe wired to real webhooks, RLS enforced at the row, audit on every privileged write. Shipped to your cloud, your code, your data — the part Shopify-app builders forget.

Book a 20-min call Send a brief

Who this is for

Founders moving off no-code who need multi-tenant from day one
Bubble billed per workspace. The per-seat maths broke past forty tenants. We rebuild the product on Postgres with RLS — tenant isolation enforced at the row, not hidden in the page.
Teams with a wedge product ready to add subscription billing and roles
A free tool with traction. Now Stripe needs wiring, roles need enforcing, audit needs logging. We bolt the production layer on without throwing away the wedge that earned the users.
Technical founders replacing a brittle MVP with a platform ready for real customers
The MVP shipped on a deadline. It has no migrations, no RLS, no rate limits — and the next funding round will read the code. We rewrite the foundation, keep the surface, document the runbook.

What we ship

Multi-tenant authentication with row-level isolation (RLS)
Subscription billing via Stripe (plans, trials, proration, dunning)
Admin dashboard with tenant + user management
User roles and permissions
Audit log for every privileged action

Foundations

What’s included in every build

Authentication with MFA
Email, magic link, password reset, TOTP. Every login event logged with IP and user agent. Roles enforced at the database, not just hidden in the React tree.
RLS-backed data isolation
Tenant boundary enforced at the row. A misrouted query returns nothing — never another tenant's table. Holds up the moment a customer pastes in real data.
Payments + Stripe
Real webhooks, dunning, proration on plan change, grace periods, refunds. Billing portal your customer service team will not have to email Stripe to operate.
Search, filters, pagination
Full-text plus trigram fuzzy matching in Postgres. Page size clamped, cursor pagination, indexed at the database layer. No Algolia bill, no third service to keep alive.
Audit logging
Every privileged write captured with actor, target, before and after state. The trail an enterprise procurement team asks for in week one of diligence.
Observability
Structured JSON logs with sensitive fields redacted. Sentry wired before launch. Latency and error-rate dashboards live day one — not retrofitted after the first outage.
CI/CD + deployment previews
Every pull request gets a live URL. Tests run on every push, type-check and lint gate merges. Deploys are a button, rollback is a button.
Deployment to your cloud (Vercel + Supabase)
Your Vercel team, your Supabase project, your domains, your keys. We deploy with your credentials and walk off at handover. No agency-held infrastructure.

Recent build

Case study
Real-time scoring platform
A subscription scoring platform for a competitive league with sixty thousand members. Multi-tenant from day one, custom scoring, leaderboards, Stripe wired to real webhooks, an admin tool the founder runs without us. Shipped in ten weeks, profitable in month two.
Read case study →
Case study
Specialist recruitment platform
A recruitment platform matching candidates to specialist roles. Multi-tenant practice accounts, role-based access, audit on every privileged write. Built in fourteen weeks. Twelve thousand active users in month one. They own the code, the schemas, the eval set.
Read case study →

Tech stack

Next.js 16
Supabase (Postgres + RLS + Edge Functions)
TypeScript
Stripe (billing, subscriptions, webhooks)
Vercel (hosting, preview deploys)

Our process

How we work

Step 1
01
Discovery
One scoping call, then a written brief. Tenant model, billing rules, role matrix, failure modes — on the page. Two weeks. No workshops, no decks.
Step 2
02
Architecture
Schema, API surface, build plan. The data model, the security boundary, the integration points named. Two weeks. You sign off before a line is written.
Step 3
03
Build
Eight to twelve weeks. Weekly demo on a real preview URL. Eighteen security patterns enforced by default. You can read the diff every Friday.
Step 4
04
Ship
Deploy to your cloud, transfer keys, walk through the runbook. A handover doc that names the failure mode and the on-call step. Not a goodbye email.
Step 5
05
Forge Care
Optional retainer — security patches, dependency updates, continued feature work. From £500 a month. Same engineer. Cancel any time.

Parent service: Web Apps

Pricing

Fixed fee, scope written down before billing starts. £25k buys a single-tenant MVP with the foundations in full. £60k buys multi-tenant from day one with Stripe, roles, and an admin tool. £100k buys the production engagement — workspaces, SSO, audit, a year of schema headroom.

Full pricing rationale and cost breakdown: How much does AI engineering cost?

Frequently asked

How do you handle multi-tenancy?
Row-level security at the database, organisation IDs on every table, foreign keys that enforce the boundary. Not a WHERE clause in a server action — the data plane refuses to return another tenant's row even if the application tries. Holds up in a security review. Scales to enterprise tenants without re-architecture.
Stripe vs Paddle vs LemonSqueezy?
Stripe by default — best webhook hygiene, best dunning, best dispute flow. Paddle if you need a Merchant of Record for global VAT. LemonSqueezy for indie scale where MoR matters more than feature surface. Picked on the call, wired with real webhooks, real failed-card retries, real refunds. Not a checkout link.
Can we offer free trials and enterprise plans?
Both. Free trials with card-required or no-card, grace periods, automatic downgrade. Enterprise plans with custom pricing, invoiced billing, net-thirty terms, signed order forms. Self-serve and sales-led on the same data model. No second product to bolt on at Series B.
What about white-labelling for resellers?
Custom domains per tenant, per-tenant theming, per-tenant email sender. Resellers see their brand, end-users see the reseller. The reseller billing layer sits on top of the per-tenant Stripe customer. Audit trail tracks which seat belongs to which reseller. Built in, not bolted on.
Who owns the code?
You. Your repo, your Supabase, your Stripe, your Vercel, your domains. No Canarlo SaaS in the loop. Plain TypeScript, no proprietary runtime, no licence fees. Any competent engineer can read the diff and extend it. The whole point is you walk away from us when you no longer need us.

A multi-tenant SaaS that holds up in diligence.

Twenty-minute call to scope the work. Proposal in your inbox inside forty-eight hours.

Book a 20-min call Send a brief

Solutions · SaaS · Canarlo

SaaS development by Canarlo

Book a 20-min call Send a brief

Who this is for

Founders moving off no-code who need multi-tenant from day one
Bubble billed per workspace. The per-seat maths broke past forty tenants. We rebuild the product on Postgres with RLS — tenant isolation enforced at the row, not hidden in the page.
Teams with a wedge product ready to add subscription billing and roles
A free tool with traction. Now Stripe needs wiring, roles need enforcing, audit needs logging. We bolt the production layer on without throwing away the wedge that earned the users.
Technical founders replacing a brittle MVP with a platform ready for real customers
The MVP shipped on a deadline. It has no migrations, no RLS, no rate limits — and the next funding round will read the code. We rewrite the foundation, keep the surface, document the runbook.

What we ship

Multi-tenant authentication with row-level isolation (RLS)
Subscription billing via Stripe (plans, trials, proration, dunning)
Admin dashboard with tenant + user management
User roles and permissions
Audit log for every privileged action

Foundations

What’s included in every build

Authentication with MFA
Email, magic link, password reset, TOTP. Every login event logged with IP and user agent. Roles enforced at the database, not just hidden in the React tree.
RLS-backed data isolation
Tenant boundary enforced at the row. A misrouted query returns nothing — never another tenant's table. Holds up the moment a customer pastes in real data.
Payments + Stripe
Real webhooks, dunning, proration on plan change, grace periods, refunds. Billing portal your customer service team will not have to email Stripe to operate.
Search, filters, pagination
Full-text plus trigram fuzzy matching in Postgres. Page size clamped, cursor pagination, indexed at the database layer. No Algolia bill, no third service to keep alive.
Audit logging
Every privileged write captured with actor, target, before and after state. The trail an enterprise procurement team asks for in week one of diligence.
Observability
Structured JSON logs with sensitive fields redacted. Sentry wired before launch. Latency and error-rate dashboards live day one — not retrofitted after the first outage.
CI/CD + deployment previews
Every pull request gets a live URL. Tests run on every push, type-check and lint gate merges. Deploys are a button, rollback is a button.
Deployment to your cloud (Vercel + Supabase)
Your Vercel team, your Supabase project, your domains, your keys. We deploy with your credentials and walk off at handover. No agency-held infrastructure.

Recent build

Case study
Real-time scoring platform
A subscription scoring platform for a competitive league with sixty thousand members. Multi-tenant from day one, custom scoring, leaderboards, Stripe wired to real webhooks, an admin tool the founder runs without us. Shipped in ten weeks, profitable in month two.
Read case study →
Case study
Specialist recruitment platform
A recruitment platform matching candidates to specialist roles. Multi-tenant practice accounts, role-based access, audit on every privileged write. Built in fourteen weeks. Twelve thousand active users in month one. They own the code, the schemas, the eval set.
Read case study →

Tech stack

Next.js 16
Supabase (Postgres + RLS + Edge Functions)
TypeScript
Stripe (billing, subscriptions, webhooks)
Vercel (hosting, preview deploys)

Our process

How we work

Step 1
01
Discovery
One scoping call, then a written brief. Tenant model, billing rules, role matrix, failure modes — on the page. Two weeks. No workshops, no decks.
Step 2
02
Architecture
Schema, API surface, build plan. The data model, the security boundary, the integration points named. Two weeks. You sign off before a line is written.
Step 3
03
Build
Eight to twelve weeks. Weekly demo on a real preview URL. Eighteen security patterns enforced by default. You can read the diff every Friday.
Step 4
04
Ship
Deploy to your cloud, transfer keys, walk through the runbook. A handover doc that names the failure mode and the on-call step. Not a goodbye email.
Step 5
05
Forge Care
Optional retainer — security patches, dependency updates, continued feature work. From £500 a month. Same engineer. Cancel any time.

Parent service: Web Apps

Pricing

Full pricing rationale and cost breakdown: How much does AI engineering cost?

Frequently asked

How do you handle multi-tenancy?
Row-level security at the database, organisation IDs on every table, foreign keys that enforce the boundary. Not a WHERE clause in a server action — the data plane refuses to return another tenant's row even if the application tries. Holds up in a security review. Scales to enterprise tenants without re-architecture.
Stripe vs Paddle vs LemonSqueezy?
Stripe by default — best webhook hygiene, best dunning, best dispute flow. Paddle if you need a Merchant of Record for global VAT. LemonSqueezy for indie scale where MoR matters more than feature surface. Picked on the call, wired with real webhooks, real failed-card retries, real refunds. Not a checkout link.
Can we offer free trials and enterprise plans?
Both. Free trials with card-required or no-card, grace periods, automatic downgrade. Enterprise plans with custom pricing, invoiced billing, net-thirty terms, signed order forms. Self-serve and sales-led on the same data model. No second product to bolt on at Series B.
What about white-labelling for resellers?
Custom domains per tenant, per-tenant theming, per-tenant email sender. Resellers see their brand, end-users see the reseller. The reseller billing layer sits on top of the per-tenant Stripe customer. Audit trail tracks which seat belongs to which reseller. Built in, not bolted on.
Who owns the code?
You. Your repo, your Supabase, your Stripe, your Vercel, your domains. No Canarlo SaaS in the loop. Plain TypeScript, no proprietary runtime, no licence fees. Any competent engineer can read the diff and extend it. The whole point is you walk away from us when you no longer need us.

A multi-tenant SaaS that holds up in diligence.

Twenty-minute call to scope the work. Proposal in your inbox inside forty-eight hours.

Book a 20-min call Send a brief

SaaS development by Canarlo

Who this is for

Founders moving off no-code who need multi-tenant from day one

Teams with a wedge product ready to add subscription billing and roles

Technical founders replacing a brittle MVP with a platform ready for real customers

What we ship

What’s included in every build

Authentication with MFA

RLS-backed data isolation

Payments + Stripe

Search, filters, pagination

Audit logging

Observability

CI/CD + deployment previews

Deployment to your cloud (Vercel + Supabase)

Recent build

Real-time scoring platform

Specialist recruitment platform

Tech stack

How we work

Discovery

Architecture

Build

Ship

Forge Care

Pricing

Frequently asked

A multi-tenant SaaS that holds up in diligence.

SaaS development by Canarlo

Who this is for

Founders moving off no-code who need multi-tenant from day one

Teams with a wedge product ready to add subscription billing and roles

Technical founders replacing a brittle MVP with a platform ready for real customers

What we ship

What’s included in every build

Authentication with MFA

RLS-backed data isolation

Payments + Stripe

Search, filters, pagination

Audit logging

Observability

CI/CD + deployment previews

Deployment to your cloud (Vercel + Supabase)

Recent build

Real-time scoring platform

Specialist recruitment platform

Tech stack

How we work

Discovery

Architecture

Build

Ship

Forge Care

Pricing

Frequently asked

A multi-tenant SaaS that holds up in diligence.