Multi-Tenant PII Isolation: Defense in Depth for Mortgage Data

The Multi-Tenant Challenge

When you sell a platform to multiple mortgage lenders, each client's data must be completely invisible to every other client. This is not just a preference — it is a legal requirement under GLBA, a contractual obligation, and a trust foundation.

The naive approach is separate databases per client. That works at small scale but becomes operationally expensive — schema migrations, backups, monitoring, and connection pooling all multiply by the number of tenants.

We chose a different path. Shared infrastructure with multiple isolation layers.

Defense in Depth

The platform enforces multiple independent isolation layers. Each protects a different surface:

• Data isolation — data-level isolation ensures complete tenant separation. No tenant can access another tenant's records, regardless of access level.
• Encryption — tenant-scoped encryption ensures data protection before storage. Even privileged access to the data layer does not expose plaintext.
• Secrets isolation — credentials, keys, and integrations are scoped per tenant. Identity-based controls prevent cross-tenant access.
• Storage isolation — documents are stored under tenant-scoped boundaries with access policies that prevent cross-tenant access.
• Compute isolation — each tenant operates within a dedicated boundary. Cross-boundary traffic is prevented by design.
• Log protection — all logs pass through automated PII masking before they are written. Even a compromised observability system does not expose sensitive data.

The Principle

No single layer is considered sufficient. An attacker would need to compromise multiple independent systems to access another tenant's data. That is the standard we hold ourselves to.