How It WorksPricingBlogStart Free Trial
All answers

What SOC 2 evidence do I need for a multi-tenant SaaS app?

March 6, 20262 min readSOC 2 for Specific Tech Stacks

Why Multi-Tenancy Matters for SOC 2

Multi-tenant architectures serve multiple customers from shared infrastructure. Auditors need to verify that tenant isolation is enforced — that Customer A cannot see Customer B's data, even if they share the same database, application servers, and API endpoints.

Evidence by Isolation Model

Isolation ModelEvidence Required
Separate databases per tenantDatabase list showing per-customer DBs, connection routing logic
Shared database, separate schemasSchema list, middleware ensuring correct schema selection
Shared database, tenant ID columnQuery scoping logic, middleware injecting tenant filters, authorization tests
Row-level security (RLS)RLS policy definitions, proof that policies are enforced

Key Evidence to Provide

1. Tenant Isolation in Code

Show how your application ensures queries are scoped to the authenticated tenant:

  • Middleware or context that sets the current tenant
  • Database queries filtered by tenant ID
  • API routes that verify tenant ownership before returning data

2. Authorization Checks

  • Evidence that API endpoints check the requesting user belongs to the target tenant
  • Screenshot or code showing cross-tenant access attempts are blocked

3. Testing

  • Test results showing cross-tenant data leakage is prevented
  • Security review of shared endpoints (search, reporting, exports) for tenant boundary enforcement

4. Infrastructure Isolation

  • Network security: are tenant workloads isolated at the network level?
  • Encryption: is data encrypted per-tenant or with shared keys?
  • Backups: can you restore a single tenant's data?

Common Findings

  • Shared admin endpoints: Admin APIs that don't check tenant scope, allowing admin users to query across tenants
  • Search leakage: Full-text search returning results from other tenants
  • File storage: S3 bucket paths not enforcing tenant boundaries
  • Logging: Application logs containing data from multiple tenants without access controls on the logs themselves

What Auditors Ask

Expect the auditor to ask: "Show me how you prevent one customer from accessing another customer's data." Have a clear answer — code, configuration, and test evidence — ready.

Related Questions

SOC 2 for Specific Tech Stacks

How do I document SOC 2 evidence for GitHub access controls?

Document GitHub access controls by capturing organization member lists with roles, team-level repository permissions, branch protection settings, 2FA enforcement, and audit logs. Map GitHub's permission model (Owner, Member, Outside Collaborator) to your SOC 2 access control policy.

SOC 2 for Specific Tech Stacks

How do I get SOC 2 for a Next.js app deployed on Vercel?

Getting SOC 2 for a Next.js app on Vercel means documenting your deployment pipeline (Git-based deploys), access controls (Vercel team roles, GitHub branch protection), and data handling (API routes, database connections). Vercel's built-in security features cover many infrastructure controls. You need to prove application-level controls.

SOC 2 for Specific Tech Stacks

How do I handle SOC 2 evidence for apps without SSO?

You can pass SOC 2 without SSO by implementing compensating controls: enforced MFA, strong password policies, manual access reviews, and documented onboarding/offboarding checklists. SSO is a best practice but not a SOC 2 requirement. Document why your current approach is sufficient for your risk profile.

Ready to Automate Your Compliance?

Join 50+ companies automating their compliance evidence with Screenata.

Start Free Trial →

© 2025 Screenata. All rights reserved.