Active tenants
4
All systems healthy
Provisioning now
1
BMW SA — 73% complete
Database instances
4
Fully isolated per tenant
Avg provision time
8.4 min
Fully automated
Combined uptime
99.97%
Last 90 days
Deployed tenant instances
| Tenant | Domain | Industry | Region / data centre | DB instance | Version | Health | Actions |
|---|---|---|---|---|---|---|---|
AL Alstom SA Railway · 47 users |
alstom.siebencmms.com | Rail / IRIS | 🇿🇦 JHB-AZ1 Africa North — Teraco JB1 |
pg-alstom-prod-01 PostgreSQL 16.2 |
v2.4.1 | Healthy | |
TO Toyota SA Automotive · 89 users |
toyota.siebencmms.com | Auto / IATF | 🇿🇦 JHB-AZ2 Africa North — Teraco JB2 |
pg-toyota-prod-01 PostgreSQL 16.2 |
v2.4.1 | Healthy | |
BZ Bombardier EU Railway · 112 users |
bombardier.siebencmms.com | Rail / IRIS | 🇩🇪 FRA-AZ1 EU West — Frankfurt DC3 |
pg-bombardier-prod-01 PostgreSQL 16.2 |
v2.4.1 | Healthy | |
FD Ford SA Automotive · 63 users |
ford.siebencmms.com | Auto / IATF | 🇿🇦 CPT-AZ1 Africa South — Teraco CT1 |
pg-ford-prod-01 PostgreSQL 16.2 |
v2.4.1 | Healthy | |
BW BMW SA Automotive · 0 users |
bmw.siebencmms.com | Auto / IATF | 🇿🇦 JHB-AZ3 Provisioning... |
pg-bmw-prod-01 Creating... |
Pending | Provisioning 73% |
Isolation guarantee: Each tenant row above represents a completely independent deployment — separate subdomain (TLS certificate), separate application container, separate PostgreSQL instance, and separate backup schedule. No tenant can access, query, or be affected by another tenant's database or application. This is the architecture recommended by IATF 16949 auditors and required for IRIS/ISO 22163 railway data handling.
New tenant provisioning wizardFully automated — avg 8.4 min
1
Company info2
Region & data3
Modules4
Security5
DeployCompany name
Short code (subdomain)
Industry
Compliance standards
Primary admin email
Number of users (estimated)
Generated subdomain preview
https://bmw.siebencmms.com
Select data centre region — data will be stored exclusively in this location
🇿🇦
Johannesburg
Teraco JB1 / JB2 / JB3
POPIA compliant · IATF preferred
🇿🇦
Cape Town
Teraco CT1 · Africa South
POPIA compliant
🇩🇪
Frankfurt
AWS EU-West / Azure WEU
GDPR compliant · IRIS preferred
🇬🇧
London
AWS EU-West-2
UK GDPR · IRIS compliant
🇦🇪
UAE / Dubai
AWS ME-South-1
Middle East residency
🌐
Customer-hosted
On-premise / private cloud
Full data sovereignty
Database size tier
Backup frequency
Data residency guarantee: The selected region is the exclusive location for all tenant data — application server, database, backups, and audit logs. No data crosses regional boundaries. This guarantee is documented in the tenant's compliance certificate and Data Processing Agreement (DPA).
Select which modules to enable for this tenant. Required modules are pre-checked and cannot be disabled.
Asset manager & hierarchyRequired
Safety gate & PPE interlockRequired
Job cards & work ordersRequired
OEE dashboard
Permit-to-work (PTW)
RCA engine (5-Why + Fishbone)
Shift handover module
Energy monitoring & digital twin
Supplier portal & critical spares
HSE tracker & training matrix
Notification engine
Predictive maintenance (PdM)
These security defaults will be applied at provisioning. The tenant admin can adjust within their permitted policy bounds.
Enforce 2FA at signup
All users must verify mobile OTP during registration
Require 2FA at every login
OTP required on every session — stricter but higher friction
Enable biometric login
Allow fingerprint / Face ID for returning users
Enable immutable record locking
Closed job cards, RCAs, and permits cannot be edited (recommended)
Enable SHA-256 integrity hashing
All locked records are hash-stamped for tamper detection
Enable geofencing
Enforce plant boundary for safety sign-offs and job closures
Enable suspicious login detection
Alert on unrecognised devices, off-hours logins, geofence violations
Invite-only user registration
Users cannot self-register — admin must issue invites (recommended)
Tenant configuration
CompanyBMW South Africa
Subdomainbmw.siebencmms.com
IndustryAutomotive / IATF 16949
Region🇿🇦 Johannesburg — Teraco JB3
DB instancepg-bmw-prod-01
Modules enabled11 / 12
What will be provisioned
TLS certificateAuto-issued
PostgreSQL 16.2 instanceIsolated DB
Application containerKubernetes pod
Schema migrationAuto-seeded
Security policies (RLS)Auto-applied
Admin invite emailAuto-sent
Infrastructure architecture — single-tenant isolated (Option 2)Audit-recommended model
DNS / CDN
*.siebencmms.com (wildcard DNS)
→
Cloudflare CDN + WAF + DDoS protection
→
SSL/TLS termination (per-subdomain cert)
Gateway
API Gateway (Kong / AWS APIG)
→
Rate limiting + Auth middleware
→
Suspicious login detector
Control plane
Provisioning service (Terraform / Helm)
→
Tenant registry DB (central)
→
CI/CD orchestrator (GitHub Actions)
Tenant A
alstom.siebencmms.com
App container K8s pod
pg-alstom-prod-01
JHB-AZ1 · Teraco JB1
|
toyota.siebencmms.com
App container K8s pod
pg-toyota-prod-01
JHB-AZ2 · Teraco JB2
|
bombardier.siebencmms.com
App container K8s pod
pg-bombardier-prod-01
FRA-AZ1 · Frankfurt DC3
|
ford.siebencmms.com
App container K8s pod
pg-ford-prod-01
CPT-AZ1 · Teraco CT1
Observability
Prometheus + Grafana (per-tenant metrics)
→
Loki (per-tenant log aggregation)
→
PagerDuty (on-call alerting)
Backups
pg_basebackup every 6h (per tenant, per region)
→
WAL streaming (continuous, point-in-time recovery)
→
30-day retention, encrypted at rest (AES-256)
Key isolation guarantee from diagram: Each tenant's Kubernetes pod and PostgreSQL instance share zero infrastructure with any other tenant. The vertical pipe symbols (|) represent hard isolation boundaries — not shared components. The control plane (purple layer) only provisions and monitors; it never has runtime access to tenant data.
CI/CD deployment pipeline — automated rollout to all tenantsGitHub Actions + Helm
One codebase. Automated deployment to all tenant instances. Updates are tested in staging, validated, then rolled out using a canary strategy — 10% of tenants first, then progressive rollout. No tenant is updated without passing all tests.
Source
Git push to main
PR merged & tagged
→
Build & test
Unit tests ✓
Integration tests ✓
Security scan (Trivy) ✓
Docker image built ✓
→
Staging
staging.siebencmms.com
Schema migration test ✓
E2E tests (Playwright) ✓
Performance baseline ✓
→
Canary (10%)
1 tenant selected
Monitor 30 min
Error rate check
Auto-promote if OK ✓
→
Progressive rollout
25% tenants ✓
50% tenants ✓
75% tenants ✓
100% — in progress
→
Post-deploy
Health checks all tenants
Smoke tests per tenant
Rollback ready (blue-green)
Release notes emailed
Rollback strategy
StrategyBlue-green deployment
Rollback time<90 seconds per tenant
TriggerError rate >2% or health check failure
DB migrationsBackwards-compatible only (no destructive changes)
Previous version kept72 hours post-deploy
Tenant notified on rollbackYes — auto email
Maintenance windows
Alstom SA (rail, 24/7)Sun 02:00–04:00 SAST
Toyota SA (day shift)Sun 01:00–03:00 SAST
Bombardier EUSun 01:00–03:00 CET
Ford SASat 23:00–01:00 SAST
Emergency patchesDeploy immediately, notify after
Per-tenant health dashboardAll healthy — 99.97% uptime
Version management — current releasev2.4.1 — all tenants current
Current stable
v2.4.1
Released 28 Mar 2026
All 4 tenants on this version
Next release
v2.5.0
In staging — ETA 14 Apr 2026
Energy module enhancements + RLS v2
Rollout strategy
Blue-green canary
10% → 25% → 50% → 100%
Auto-rollback if error rate >2%
Key advantage of single-tenant architecture: Because each tenant has their own deployment, a release can be paused mid-rollout without affecting already-updated tenants. If v2.5.0 causes an issue on tenant 2, tenants 1, 3, and 4 continue running their current version unaffected. This is impossible in a shared-database multi-tenant model.
Per-tenant data residency & compliance certificatesAuto-generated on provisioning
Each tenant receives a signed compliance certificate at provisioning that documents their isolated data residency, the applicable standards their deployment satisfies, and the Data Processing Agreement (DPA) reference. This document is the primary evidence an IATF or ISO auditor requests when evaluating software systems.
CERT-2026-AL-001
🛡
Data Residency Certificate
Alstom SA
All maintenance data, safety records, and audit logs are stored exclusively in Teraco JB1, Johannesburg, South Africa. No data is replicated outside this region. Database: pg-alstom-prod-01. Fully isolated — no shared infrastructure with any other tenant.
ISO 22163 / IRIS
ISO 45001
POPIA compliant
Issued: 15 Jan 2026 · Valid: 14 Jan 2027
DPA Ref: DPA-2026-AL-001
DPA Ref: DPA-2026-AL-001
CERT-2026-BM-003
🛡
Data Residency Certificate
Bombardier EU
All maintenance data, safety records, and audit logs are stored exclusively in Frankfurt DC3, Germany (EU). GDPR Article 46 compliant. Database: pg-bombardier-prod-01. No data transfer outside the European Economic Area.
ISO 22163 / IRIS
ISO 45001
GDPR Art. 46
Issued: 02 Feb 2026 · Valid: 01 Feb 2027
DPA Ref: DPA-2026-BM-003
DPA Ref: DPA-2026-BM-003
CERT-2026-TO-002
🛡
Data Residency Certificate
Toyota SA
All maintenance, OEE, and safety data are stored exclusively in Teraco JB2, Johannesburg, South Africa. Database: pg-toyota-prod-01. IATF 16949 Clause 8.5.1.5 records are immutable and hash-verified. Fully isolated deployment.
IATF 16949
ISO 45001
VDA 6.3
POPIA
Issued: 20 Jan 2026 · Valid: 19 Jan 2027
DPA Ref: DPA-2026-TO-002
DPA Ref: DPA-2026-TO-002
Control plane schema — tenant registryCentral DB (separate from all tenants)
-- Central control plane database
-- Entirely separate from all tenant DBs
CREATE TABLE Tenants (
tenant_id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
company_name VARCHAR(200) NOT NULL,
slug VARCHAR(50) UNIQUE NOT NULL,
-- e.g. 'alstom', 'toyota'
subdomain VARCHAR(100) UNIQUE NOT NULL,
-- alstom.siebencmms.com
industry VARCHAR(30),
-- Automotive / Railway / Both
region VARCHAR(30) NOT NULL,
-- JHB-AZ1 / FRA-AZ1 / CPT-AZ1
db_host TEXT NOT NULL,
-- Encrypted connection string
db_name VARCHAR(100) NOT NULL,
app_version VARCHAR(20),
status VARCHAR(20) DEFAULT 'provisioning',
-- provisioning/active/suspended
provisioned_at TIMESTAMP,
last_health_check TIMESTAMP,
health_status VARCHAR(10),
-- healthy / degraded / down
compliance_certs JSONB,
-- Array of cert references
dpa_reference VARCHAR(50),
modules_enabled TEXT[],
security_policy JSONB,
-- Serialised Security_Policy snapshot
max_users INT,
current_users INT DEFAULT 0
);
CREATE TABLE Provisioning_Log (
log_id BIGSERIAL PRIMARY KEY,
tenant_id UUID REFERENCES Tenants,
step VARCHAR(50),
-- dns/tls/db/app/migrate/notify
status VARCHAR(10),
-- running/done/failed
started_at TIMESTAMP,
completed_at TIMESTAMP,
duration_sec INT,
output TEXT,
is_immutable BOOLEAN DEFAULT TRUE
);
CREATE TABLE Deployment_History (
deploy_id BIGSERIAL PRIMARY KEY,
tenant_id UUID REFERENCES Tenants,
from_version VARCHAR(20),
to_version VARCHAR(20),
strategy VARCHAR(20),
-- canary / blue-green / hotfix
deployed_at TIMESTAMP,
rolled_back BOOLEAN DEFAULT FALSE,
rollback_at TIMESTAMP NULL,
deployed_by VARCHAR(100)
-- CI/CD bot or ops user
);
Why the control plane DB is separate
Tenant data accessControl plane has ZERO access
Control plane knowsConnection strings only (encrypted)
Health checksPing endpoint — no data query
Breach of control planeTenant data still isolated
Auditor evidenceCan prove zero cross-access
Terraform provisioning script (abbreviated)Infrastructure as code
# terraform/modules/tenant/main.tf
# Provisions one complete isolated tenant stack
variable "tenant_slug" { type = string }
variable "region" { type = string }
variable "db_tier" { type = string }
# 1. DNS record: bmw.siebencmms.com
resource "cloudflare_record" "tenant_dns" {
zone_id = var.zone_id
name = var.tenant_slug
value = module.k8s.load_balancer_ip
type = "A"
proxied = true
}
# 2. TLS certificate (auto-renewed)
resource "cloudflare_certificate_pack" "tls" {
zone_id = var.zone_id
hosts = ["${var.tenant_slug}.siebencmms.com"]
type = "advanced"
}
# 3. Isolated PostgreSQL instance
resource "postgresql_database" "tenant_db" {
name = "pg-${var.tenant_slug}-prod-01"
provider = postgresql.${var.region}
}
# 4. Kubernetes namespace + deployment
resource "kubernetes_namespace" "tenant" {
metadata { name = var.tenant_slug }
}
resource "helm_release" "app" {
name = var.tenant_slug
namespace = var.tenant_slug
chart = "./charts/siebencmms"
set { name="db.host" value=module.db.endpoint }
set { name="domain" value="${var.tenant_slug}.siebencmms.com" }
}
# 5. Run schema migrations
resource "null_resource" "migrate" {
provisioner "local-exec" {
command = "flyway migrate -url=${module.db.url}"
}
depends_on = [helm_release.app]
}
# 6. Register in control plane
resource "postgresql_query" "register" {
query = "INSERT INTO Tenants ..."
db = module.control_plane_db
}