Project Overview
A UK Business Intelligence SaaS startup had built an MVP using Metabase hosted on a shared server — all 45 tri...
Technology Stack
Compliance & Standards
The Challenge
A UK Business Intelligence SaaS startup had built an MVP using Metabase hosted on a shared server — all 45 trial customers sharing one Metabase instance with inadequate data isolation. A UK GDPR audit identified this as a potential personal data breach risk (one customer could accidentally access another's data through URL manipulation). The company needed to migrate to a properly isolated multi-tenant architecture before Series A due diligence. Budget: £90,000 for the re-architecture.
Our Approach
Tenant Architecture Design
- Separate PostgreSQL database per tenant (not shared schema with RLS — the data volumes and query patterns required separate databases for performance isolation).
- AWS RDS eu-west-2 with separate RDS instances per tenant tier (
Basic
shared multi-AZ cluster;
Pro
dedicated instance;
Enterprise
dedicated cluster).
UK GDPR Data Isolation
PostgreSQL separate databases provide complete data isolation by design — no RLS misconfiguration risk.
UK GDPR right to erasure per tenant
deleting a tenant cascades all their data across their dedicated database and removes the database itself.
Article 30 Records
automated per-tenant ROPA generated from database schema metadata.
ETL Pipeline Migration
- Customer data migration from shared Metabase instance to new isolated architecture.
- Zero-downtime migration: read-only mode on old system while new databases populated, validation checks comparing query results, then traffic cutover. 45 customers migrated in 72-hour window.
Series A TDD Preparation
- Post-migration: architecture documentation, UK GDPR compliance pack (ICO registration, DPAs with AWS, data flow diagrams), IP assignment confirmation, pen test commissioned, and Cyber Essentials certification started.
- TDD evidence pack prepared 6 weeks before Series A process opened.
The Results
Re-architecture complete at 12 weeks, £84,000 — under budget.
UK GDPR audit re-run: zero findings.
Series A TDD: zero data isolation or GDPR findings (previously had 3 critical findings).
Series A closed at £3.2M (6 weeks after TDD completion).
Post-Series A: 12 new enterprise customers won, citing data isolation as a procurement criterion.
“The original architecture was a ticking GDPR time bomb. ClickMasters re-architected it properly, prepared our TDD evidence pack, and got us to Series A close in 18 weeks. The GDPR clean bill of health was essential for our enterprise sales pipeline." — CEO, UK BI SaaS (name withheld)”
Project Details
Ready to Transform Your Business?
Let's discuss how our technical expertise can help you achieve remarkable results.