Invent Labsbook a call
// work · engineering
healthtechNDA

Multi-tenant patient-data platform, 0 → first ten customers.

Greenfield build with HIPAA-ready data isolation. Single team, six months, no rewrite needed at scale.

design partners10
compliance postureHIPAA-ready
to first revenue6mo

// Greenfield build with HIPAA-ready data isolation. Single team, six months, no rewrite needed at scale.

Problem

A clinical-operations team with a strong domain hypothesis and no platform. They had ten signed design-partner letters of intent, a six-month runway commitment from the board, and a regulatory environment that did not tolerate the usual 0→1 corner-cutting. HIPAA is not a thing you bolt on at series A.

The hard constraint was tenancy. Patient data could not be commingled across customers in a way that would survive an audit. The hard non-constraint was scale — at ten customers, "performant at 10× current load" was not the bar. The bar was: ship something a hospital's security team can sign off on, and don't paint yourself into a corner that requires a rewrite when the eleventh customer signs.

Approach

We made one architectural decision early and stayed inside it: shared-database, per-tenant schema, with a clear migration path to pooled-isolated for any future enterprise customer. The tenancy boundary lived at the schema level, not in a tenant_id column. Every query was scoped by the schema search path, set once per request from the authenticated context. This made cross-tenant queries a structural impossibility rather than a code-review concern.

Everything else was deliberately boring. Postgres on managed GCP CloudSQL. Next.js for the application surface. TypeScript end-to-end, with the schema as the source of truth for types. Authentication and authorization through a single identity provider, audit logs as a first-class table from day one. No queue infrastructure — the access pattern didn't need it yet, and adding it later was cheaper than maintaining it for nothing.

Decisions & trade-offs

  • Per-tenant schema over shared schema. Slower migrations (N-times the work), but the tenancy boundary is structural. For a compliance-first product, this is the right side of the trade-off.
  • No microservices. A single, well-factored monolith for the first ten customers. We agreed an explicit threshold at which extraction would begin — and it wasn't a number anyone expected to hit inside the first eighteen months.
  • Audit logs as a feature, not a side effect. Built into the data model from day one. Adding them retroactively in a regulated environment is a six-month project; building them in at the start is a six-day one.
  • Skipped the design system. Used a small set of primitives and the dot-grid drafting language from the brand sheet. Visual polish came later, once the product surface had stopped moving.

Outcome

All ten design partners onboarded inside the six-month window. The security questionnaire that has killed previous vendors at this stage passed without follow-up requests on two of the engagements. The team that picked the platform up from us has shipped four product surfaces since, against the same data model, with no schema rewrite. The architecture decision register from the project is the document we hand future clients as an example of what "boring infra under a novel product" looks like in practice.

previous caseSaaS unit-economics review, Series B platform.Found and modeled a hidden COGS line tied to multi-tenant storage. Margins recovered within two quarters.next caseCapital-markets event ingest at sub-millisecond latency.Re-architected a brittle pipeline to handle 4× the previous peak with zero degradation in P99.
← all work
// work · next step

Recognize the shape of this one?

If your team is staring at a problem with this silhouette, that's usually a good signal an engagement would be useful. The first conversation is free and short.

book a discovery callsend a project brief