Skip to content

ADR 0006 - Tenant-Isolated Data Plane with Shared Global Control Plane

Date: 2026-02-08 Status: Accepted

Context

AccessOS must support strong customer isolation while scaling to roughly 100 tenants in the next 12 months. We need an architecture that reduces reliance on perfect application-level tenant checks and supports operationally manageable deployments.

Decision

Adopt a tenant-isolated data-plane architecture in a single AWS account for v0: - Each tenant gets a dedicated ECS service set for core workloads. - Tenant resources (secrets, storage scopes, runtime roles) are scoped per tenant. - A shared global control plane manages tenant registry, licensing/entitlements, routing metadata, and fleet operations. - Workspace remains the primary user-facing access boundary. - Cross-tenant product data access is out of scope for v0.

Consequences

  • Stronger isolation guarantees than purely shared data-plane designs.
  • Higher operational complexity than single shared-stack deployments.
  • Requires robust tenant provisioning, routing metadata publication, and deployment orchestration.
  • Enables future premium path to account-per-tenant for selected customers.

Alternatives considered

  • Shared multi-tenant data plane with app-level isolation checks (rejected: larger blast radius and weaker isolation posture).
  • Account-per-tenant for all customers in v0 (deferred: operational overhead too high for initial scale).