Standard approach
One DB for all — TenantID column
- Every query has to include
WHERE TenantID = ?. - A bug in code or an admin export turns instantly into a leak.
- Backup-restore affects every tenant at once.
Architecture & Security
Architecture is
security
What lives in the database determines who can access it — and who cannot. Temporalis EMS separates tenants physically, not logically. Expensive to operate, cheap to defend.
Tenant isolation
Database-per-tenant.
Not row-level, not schema-level.
Every tenant gets its own database on our multi-model database. A forgotten WHERE filter in code cannot leak foreign data, because the connection does not even point to it.
Our approach
One DB per tenant — physically separated
- Queries don't need a TenantID filter — the connection is already scoped.
- Bug in code ≠ cross-tenant leak. The other tenant's database isn't even in the connection pool.
- Tenant offboarding = a single DB drop. No residual rows in the system.
- Per-tenant backup and restore — no cross-impact.
Implemented via EMS.Modules.Tenant.Abstraction and TenantClaimsTransformation. The tenant binding happens at the edge (JWT claim → DB connection) before the first query builder is touched.
Hosting
German servers,
no third-country transfers
All core components run at Hetzner Online in Falkenstein (Vogtland) and Nuremberg — two ISO-27001-certified data centres in Germany. No CloudFront edges, no shadow telemetry, no fallback to US infrastructure.
- Geo-redundancyFalkenstein + Nuremberg, > 300 km apart
- Third-country transfernone — all sub-processors in the EU
- Provider certificationHetzner: ISO 27001, DIN 18599, TÜV
- Network transitDE-CIX Frankfurt — no US backbone routing required
Authentication
Who gets in,
you decide
No proprietary login system. Keycloak in the backend, standards-compliant protocols — so you keep your existing identity-provider setup instead of maintaining a parallel world.
OIDC + OAuth2
Login via OpenID Connect. Authorization-code flow with PKCE, refresh-token rotation, session claims with tenant binding.
SSO via SAML 2.0
Enterprise connectors for Azure AD/Entra, Okta, Keycloak, Google Workspace. Attribute mapping for group-based roles.
MFA + hardware keys
TOTP (authenticator app) and WebAuthn/passkeys (YubiKey, Windows Hello, Touch ID) out of the box. Phishing-resistant.
Granular permissions
17-stage project permission stack plus role- and user-based monetary-field visibility. Every change traceable in the audit log.
Technology stack
Open standards,
no vendor lock-in
Every layer of the stack is a documented, open-source standard. Export paths in both directions. No invented data formats that bind you to us.
FrontendAngular 21
Server-side rendering, lazy-loaded modules, standalone components.
Backend.NET 10
Minimal APIs, OpenAPI 3, structured logs (Serilog).
DatabaseMulti-model database
Graph + document + key-value in one engine — for the 49-property project graph.
IdentityKeycloak
OIDC, SAML, LDAP federation. Self-hosted in the EU data centre.
ReportsReport Designer
Visual report designer inside the product. Export as Excel, PDF, CSV.
OperationsDocker + Kubernetes
GitOps deployments, automatic rollbacks, infrastructure-as-code.
Observability & audit
Every change
stays traceable
Entity-level audit log with before/after snapshot, actor and timestamp. Structured logs via Serilog with correlation IDs — you see a request chain from the edge all the way to the query. Exportable into your own SIEM pipeline.
For IT and security teams
Technical deep dive?
Talk to us directly.
We walk you through the request flow, give you a look at the audit log, and discuss your IdP integration. No marketing slides — just real answers.