Knowledge Tree

Multi-Tenant Platform

Run Knowledge Tree as a fully multi-tenant SaaS platform with tenant isolation, usage metering, self-service onboarding, and Stripe billing.

Overview

The multi-tenant platform transforms Knowledge Tree into a SaaS-ready service. Each tenant operates in an isolated environment with its own discovery pipelines, graph data, users, and configuration. The platform handles tenant lifecycle, usage-based billing, custom domain mapping, and data retention policies.

Tenant isolation

Every tenant is isolated at the data plane and control plane levels. Tenant data is stored in separate schema namespaces within PostgreSQL and Apache AGE, ensuring that queries, graph traversals, and vector searches never cross tenant boundaries.

Isolation layerMechanism
DatabasePer-tenant PostgreSQL schema with row-level security
GraphPer-tenant Apache AGE graph namespace
VectorPer-tenant pgvector index prefix
CacheTenant-keyed Redis namespace
SecretsPer-tenant encryption key in vault
Compliance-ready
Tenant isolation satisfies SOC 2, ISO 27001, and GDPR requirements for logical separation of customer data. A tenant can be fully purged on request with its dedicated erasure workflow.

Account management

Each tenant has a full account profile including contact details, subscription tier, feature flags, and service-level agreement (SLA) parameters. Account management is exposed through both the admin UI and a REST API.

  • Account creation -- manual (admin) or self-service via onboarding flow
  • Profile updates -- company name, billing address, technical contacts
  • Subscription tier -- Starter, Pro, Enterprise with feature gating
  • SLA configuration -- uptime guarantees, support response times
  • Account suspension -- graceful and hard suspension modes
  • Tenant deletion -- full erasure with configurable grace period

Self-service onboarding

New tenants can sign up, provision their environment, and complete a guided first-run without any administrator intervention. The onboarding flow includes:

  1. Sign up -- email, password, company name via the registration form
  2. Email verification -- optional, configurable per deployment
  3. Environment provisioning -- database schemas, encryption keys, default roles
  4. Provider connection -- guided wizard to connect AWS, Azure, or GCP
  5. First discovery -- automated scan of the connected provider
  6. Dashboard preview -- review discovered resources and relationships
  7. Billing setup -- payment method and plan selection

Billing and metering

Usage is metered at multiple dimensions and reported to the billing system. Metering dimensions include:

DimensionUnitPurpose
Discovered resourcesPer resource per dayCore pricing metric
API callsPer 1,000 requestsAPI usage tiering
Graph queriesPer 100 queriesGraph compute
LLM tokensPer 1,000 tokensAI enrichment usage
StoragePer GB per monthData retention
UsersPer active userSeat-based pricing

Stripe integration

Billing is handled natively through Stripe. The integration supports:

  • Subscription plans -- monthly and annual billing cycles with tiered pricing
  • Usage-based billing -- metered dimensions reported via Stripe usage records
  • Invoicing -- automatic invoice generation and email delivery
  • Payment methods -- credit cards, ACH, wire transfer for Enterprise plans
  • Coupons and promotions -- discount codes, trial extensions, referral credits
  • Webhook handling -- subscription updates, payment failures, churn events
  • Customer portal -- Stripe-hosted portal for plan changes and billing history
# Example: metering usage via the billing API
POST /api/v1/billing/meter
Content-Type: application/json

{
  "tenant_id": "tnt_abc123",
  "dimension": "discovered_resources",
  "quantity": 147,
  "timestamp": "2025-06-01T00:00:00Z"
}

Custom domains

Each tenant can be assigned a custom domain (e.g., infra.acme.com). The platform automatically provisions TLS certificates via Let's Encrypt and routes requests to the correct tenant environment.

  • Domain mapping -- CNAME or A record pointed to the Knowledge Tree ingress
  • Automatic TLS -- ACME certificate provisioning and renewal
  • Path-based routing -- optional sub-path isolation for development tenants
  • Custom branding -- per-domain logo, favicon, and color scheme
# Configure a custom domain
PATCH /api/v1/admin/tenants/tnt_abc123/domain
Content-Type: application/json

{
  "domain": "infra.acme.com",
  "auto_tls": true
}

Data retention

Data retention policies are configurable per tenant and per data category. The platform enforces automated cleanup based on the defined schedule.

Data categoryDefault retentionConfigurable range
Resource snapshots90 days30 days - indefinite
Change history180 days30 days - indefinite
Audit logs1 year90 days - 7 years
API request logs30 days7 days - 1 year
LLM enrichment cache30 days7 days - 90 days
Deleted tenant data30 day grace7 days - 90 days
Compliance considerations
For regulated industries, set retention policies to match your compliance requirements. GDPR right-to-erasure requests can be processed through the tenant deletion workflow with the grace period bypassed.