CT Signature multi-tenancy

Multi-tenant e-signature, isolated by design.

Strict per-tenant data isolation at the database layer, per-tenant templates and audit trails, scoped API keys, per-tenant white-labeling, and pay-as-you-go pricing that scales with aggregate usage. Built for SaaS, OEMs, and channel partners serving multiple end-customer organizations.

Get API credentials How multi-tenancy works

DB-layer: Isolation, not just query filters
Per-tenant: Templates, history, brand
Scoped API: Keys never cross tenants

What multi-tenant requires

Five guarantees that matter

Multi-tenancy is more than 'each customer has a row in our DB.' Real multi-tenant signing requires five distinct guarantees.

Database-layer data isolation per tenant
Per-tenant template and envelope scoping
Per-tenant audit trail isolation
Scoped API keys (no cross-tenant access)
Per-tenant white-labeling and configuration

DB-layer isolation

Not just query filters

Scoped API keys

Per-tenant

Per-tenant audit

No cross-tenant logs

Verifiable

Architecture, not config

Why this matters

Most 'multi-tenant' platforms are application-layer filtering with shared storage underneath.

When a vendor markets 'multi-tenant,' the technical reality varies wildly. Some platforms are genuinely tenant-isolated at the storage layer — each tenant's data is partitioned at the database, with no query path that could surface another tenant's records. Other platforms are application-layer filtering: all tenants share storage, and filtering happens at query time. The difference matters when an application bug or a misconfigured permission could leak data across tenant boundaries. Real multi-tenant platforms are isolated by architecture; query-filter multi-tenants are isolated by hope.

CT Signature is multi-tenant by architecture. Per-tenant data partitioning happens at the database layer. There is no query path that could return another tenant's data, regardless of application bugs. API keys are scoped per-tenant; a tenant's API key cannot access another tenant's templates, envelopes, audit history, or any other resource. The isolation is verifiable through the architecture, not just trusted from configuration.

On top of that isolation, every tenant-relevant feature is per-tenant: templates are tenant-scoped, envelope history is tenant-scoped, audit trail is tenant-scoped, white-labeling is tenant-scoped, configuration is tenant-scoped. SaaS partners and OEMs can serve hundreds or thousands of end-customer organizations on the platform without cross-customer data exposure being possible.

What architectural multi-tenancy delivers

Database-layer isolation — not just application-layer query filtering
Scoped API keys — per-tenant, can't cross boundaries
Per-tenant audit trails — one tenant's history isn't visible to another
Per-tenant templates — templates can't accidentally leak
Per-tenant white-labeling — brand isolation matches data isolation

Multi-tenant capabilities

What multi-tenant CT Signature delivers.

Database-layer data isolation

Per-tenant data partitioning at the database layer, not just application-layer query filtering. There is no query path that could surface another tenant's data, regardless of application bugs. Isolation is verifiable through the architecture.

Per-tenant template scoping

Each tenant's templates are private to that tenant. Templates can't be accidentally shared across tenants. Updating a template affects only that tenant's future envelopes. Per-tenant template versioning and history.

Per-tenant envelope and audit isolation

Envelope history and audit trails are per-tenant. A tenant's audit log doesn't include other tenants' actions. Cross-tenant aggregation is impossible from a tenant-scoped API key. Auditor or auditor reviews of one tenant don't expose another.

Scoped API keys per tenant

API keys are issued per tenant. A tenant's API key can only access that tenant's resources. There's no path for a misissued key to access cross-tenant data. Key rotation is per-tenant; revocation is per-tenant.

Per-tenant white-labeling and configuration

Each tenant's brand, signing UI colors, email-from domain, email templates, and signing flow configuration are all per-tenant. SaaS partners and OEMs serve customers with their customer's brand intact across every signer touchpoint.

Aggregate billing across tenants

Pay-as-you-go pricing scales with total envelopes across all tenants. Volume discounts apply at higher aggregate usage. SaaS partners pass per-envelope cost through to customers, fold it into their own pricing, or absorb it — the platform supports either model.

What it looks like in practice

A few ways teams use this.

SaaS serving 200 small businesses

SaaS for small business operations serves 200 customer organizations. Each customer has their own templates (their standard contracts), their own envelope history, their own audit trail, their own brand on signature requests. The 200th customer can't see anything from the 1st customer. The SaaS partner's per-customer onboarding includes brand setup; ongoing operation requires no per-customer maintenance from the SaaS team.

Healthcare SaaS with HIPAA isolation requirements

Healthcare SaaS serves 100 medical practices. HIPAA requires strict data isolation between practices. CT Signature's database-layer isolation provides the technical foundation; BAA coverage provides the legal foundation. Each practice's PHI is isolated from every other practice's. Auditing one practice doesn't surface any other practice's data.

Channel partner reselling under their brand

OEM channel partner sells e-signature to 50 enterprise customers under the OEM's brand. Each enterprise customer is its own tenant; the OEM is the platform consumer. End-customers experience the product as the OEM's offering. Per-tenant white-labeling extends the OEM's brand reach without exposing the underlying CT Signature provider relationship.

Frequently asked

Common multi-tenant questions.

Is data isolation actually database-layer, or application-layer query filtering?

Database-layer. Per-tenant data partitioning happens at the storage architecture, not just at query-time filtering in the application. There is no query path that could surface another tenant's data, regardless of application bugs or permission misconfigurations. Architecture documentation is available to early-access partners under NDA for technical due diligence.

How are API keys scoped per tenant?

Each tenant has its own API keys. A tenant's API key authenticates requests as that tenant; the key cannot access resources outside its tenant scope. Key rotation, revocation, and creation are per-tenant. Lost or compromised keys affect only that tenant; rotation doesn't disrupt other tenants.

Can a SaaS partner provision new tenants programmatically?

Yes. The API includes tenant provisioning endpoints for SaaS partners onboarding new customers. New tenants are created via API call; per-tenant configuration (brand, domain, white-label settings, initial templates) is configurable via API or admin UI. Self-serve tenant creation reduces SaaS partner operational overhead.

What about cross-tenant analytics for SaaS partner business intelligence?

SaaS partners typically need aggregate analytics across their tenants for business intelligence (total envelope volume, growth trends, etc.). The platform supports SaaS-partner-level reporting that aggregates across tenants without exposing individual tenant data. Specific reporting capabilities are configurable per partnership.

How does pricing work for high-tenant-count SaaS scenarios?

Pricing scales with total envelope volume across all tenants, not per-tenant flat fees. A SaaS with 1,000 tenants each sending 5 envelopes per month pays based on the 5,000 aggregate envelopes, not per-tenant. Volume discounts apply at higher aggregate usage. The platform doesn't penalize multi-tenant scale.

What happens if a tenant churns out of the SaaS partner's platform?

Tenant data ownership is configurable per partnership. Standard pattern: the tenant's data is the SaaS partner's customer's data; on churn, the SaaS partner can export the tenant's templates, envelopes, and audit history for delivery to the customer or for retention per the partner's terms. Tenant-level data export is supported via API.

Multi-tenant signing isolated by design.

Get API credentials and we'll walk through your specific multi-tenant scenario — tenant provisioning, per-tenant configuration, and isolation guarantees.

Get API credentials Back to CT Signature