Multi-tenant SaaS platform for education
Tech Lead / Fullstack
Problem
Serve many organizations from a single platform while guaranteeing each one's data is fully isolated — without sacrificing maintainability or delivery speed.
Impact
A scalable, testable foundation that supports per-organization growth without duplicating infrastructure.
- NestJS
- PostgreSQL
- Prisma
- Go
- Redis
- RabbitMQ
- Next.js
The problem
A single platform had to serve many independent organizations. The non-negotiable requirement was data isolation: no organization could ever see another’s data, not even by accident. At the same time, the business needed to ship features fast and keep the codebase healthy as it grew.
The architecture
- Hexagonal + DDD with isolated bounded contexts: the domain knows nothing about the database or the framework, which keeps the logic testable and portable.
- Multi-tenant with Row-Level Security: every query runs inside the tenant’s context; per-organization filtering is enforced by the database, not left optional in application code.
- Event-driven communication with the outbox pattern and a standard event contract, so state changes propagate reliably between services without coupling them.
- Scoring pipeline: an API receives the work, a Go worker processes it compute-heavily, and a dashboard surfaces the results.
- Signed JWT authentication (RS256) with secure token handling.
Key decisions
- RLS over manual filtering: trusting isolation to the database engine
eliminates a whole class of security bugs caused by a forgotten
whereclause. - Outbox over direct publishing: an event is only emitted if its originating transaction committed. No more inconsistent states.
- Go worker split from the API: heavy compute scales independently of web traffic.
Impact
A platform that grows by adding organizations without rewriting the core or duplicating infrastructure — with a clear security boundary and code that is easy to test and maintain.