Compendium

Walkthrough: Launch a Multi-Tenant B2B SaaS Platform (Architecture, Compliance, GTM)

18 min read

Walkthrough: Launch a Multi-Tenant B2B SaaS Platform (Architecture, Compliance, GTM)

This walkthrough designs a greenfield multi-tenant B2B SaaS platform end-to-end: target customer is mid-market enterprise (500-5,000 employees), product is a vertical workflow application with AI assistance, pricing 50K-500K annual contract values (ACV). Architecture covers the front-end, API tier, data layer, AI/ML layer, identity, billing, observability, CI/CD, security perimeter, and the compliance pathway through SOC 2, GDPR, HIPAA, and (optional) ISO 27001 + FedRAMP Moderate. Launch CAPEX $200-400K (mostly engineering hours capitalized + initial vendor commits); first-year OPEX scales with ARR growth curve.

Reference launches and architectural patterns: Notion, Linear, Vercel, Retool, Ramp, Mercury, Brex, Snowflake, Databricks, Figma, Cribl, Sigma Computing, Vanta, Drata, Modal Labs. Public engineering writeups: Notion’s PostgreSQL sharding (2023), Figma’s multiplayer architecture (2019, 2024), Linear’s sync engine, Vercel’s edge runtime, Stripe’s reliability engineering, Cloudflare Workers + Durable Objects model.

1. Product and platform spec

ParameterTargetNotes
Tenancy modelPool with per-tenant isolation tiersShared DB / pool-namespace / silo by plan
Target tenants Year 180-200 paying tenants$4-12M ARR target Year 1 exit
Users per tenant25-2,500Power-law, 80% under 200
RegionsUS-East-1 (primary), EU-West-1 (Year 1), AP-Southeast-1 (Year 2)Customer-data-residency requirement
Availability SLA99.9% uptime (43.8 min/month downtime budget)99.95% target for Enterprise tier
RTO / RPORTO 4 hr / RPO 15 minMulti-AZ; cross-region DR Year 2
Latency targetp50 <150 ms, p95 <500 ms server-sideLCP <2.5s, INP <200ms client
ComplianceSOC 2 Type II in Year 1, GDPR ready Day 1, HIPAA Year 2ISO 27001 + FedRAMP Year 3 optional
AuthSAML, OIDC, SCIM provisioning, MFA enforcedPlus social/email for SMB self-serve
APIREST + Webhooks; GraphQL for internal; OpenAPI 3.1 specPublic + private surface
AI capabilityEmbedded LLM features (search, drafting, summarization, agents)RAG over tenant data + tool-use
Launch CAPEX$200-400KEngineers + vendor initial commits

2. Tenancy and isolation model

Three tiers of tenant isolation, allocated by plan + risk:

  1. Pool tier (default) — shared DB cluster, tenant_id discriminator on every row, row-level security (Postgres RLS) enforced. Cheapest; 90-95% of tenants. Cross-tenant leakage prevented by RLS policies tested in CI with adversarial test suite. See sql-nosql-design.
  2. Namespace tier — dedicated schema per tenant in shared cluster; same compute pool but separate logical DB. Used for Enterprise tier + customers with custom retention requirements.
  3. Silo tier — fully dedicated AWS account or Kubernetes namespace, optionally separate VPC. Reserved for HIPAA/regulated workloads + top-100-ACV accounts. Provisioned via Terraform module from tenant-silo.

All tiers use the same application image — isolation lives at infrastructure, not code. Tenant routing happens at the edge (Cloudflare Worker or AWS Lambda@Edge) based on host header and JWT claims.

References: AWS SaaS Lens (Tod Golding’s “SaaS Architecture Fundamentals” 2020-2024), the canonical Pool/Silo/Bridge model.

3. Frontend tier

3.1 Web app

  • Framework: Next.js 15 (App Router, React 19) deployed on Vercel (Pro plan, ~$2,400/mo for the team + bandwidth) or Cloudflare Pages.
  • Why Next.js: SSR + RSC + Server Actions cover the marketing site, app shell, and most app routes; co-located code is easier to staff than a Next-marketing + Vite-app split.
  • Why Vercel over self-hosted: 20K/mo. Vercel KV (Upstash Redis under the hood) + Edge Config for feature flags + Edge Middleware for auth-gate.
  • Component library: shadcn/ui + Radix UI primitives, Tailwind CSS 4. No Material UI / Chakra (theming + bundle size).
  • State: React Query (TanStack Query 5) for server state; Zustand for client; URL state via Next router and nuqs. No Redux.
  • Realtime: Liveblocks ($500-2,000/mo) or Pusher Channels for presence + cursors; Server-Sent Events for one-way streams (LLM tokens). WebSockets only where required.

3.2 Marketing site

Separate sub-app — Astro 5 + MDX for content, deployed on Cloudflare Pages. The marketing site and the app share only the design tokens + Tailwind config, not React components. Marketing emails via Resend (~$20-200/mo) with React Email templates.

3.3 Mobile

Mobile shell via React Native + Expo (EAS Build 20M.

4. API tier

4.1 Service runtime

  • Primary language: Go 1.23+ for the API services. Rationale: low memory footprint per replica (60-120 MB vs 300-600 MB for equivalent Node), trivial concurrency primitives, strong typing, fast cold-start. See concurrency-primitives.
  • Framework: stdlib net/http + chi router; no Gin/Fiber (avoid framework lock-in).
  • Schema-first: OpenAPI 3.1 spec is source of truth; generates Go server stubs (via oapi-codegen) and TypeScript client (via openapi-typescript-codegen). PR-blocking spec lint via Spectral.
  • GraphQL (internal only): for the dashboard’s complex aggregation queries. gqlgen on Go side, Apollo Client + codegen on TS side. Public API stays REST + Webhooks — easier for customer integration teams.

4.2 Cluster

  • Kubernetes on AWS EKS (managed control plane $73/mo per cluster + node costs). EKS Auto Mode (GA Dec 2024) eliminates 90% of node-group management; cluster-autoscaler + Karpenter for spot node pools.
  • Node selection: c7g.large/xlarge Graviton instances (ARM64) for the API tier — ~20% cheaper per vCPU than x86, ~40% better perf/W. m7i for any x86-only dependencies (ML inference with non-ARM CUDA paths in tooling). See realtime-embedded (ARM Cortex-A context).
  • Service mesh: Linkerd (lighter than Istio; mTLS by default, automatic retries, no Envoy sidecar cold-start tax). Avoid Istio at Year 1 — too much complexity per engineer. See containers-service-mesh.
  • Why EKS over GKE / Fly.io / Render: most enterprise customers’ compliance teams have audited AWS; GCP audit packet is harder to procure. ECS/Fargate-only was considered (simpler ops, no nodes) but rejected for service-mesh + per-pod GPU + custom scheduling needs.

4.3 Service decomposition

Resist microservice fragmentation. Year 1 service count target: 6-10 services, not 50.

ServiceResponsibilityLanguage
gatewayTLS termination, JWT validation, rate limit, request routingGo
api-corePrimary CRUD + business logicGo
api-billingStripe webhook handling, invoice gen, usage meteringGo
api-aiLLM proxy, prompt assembly, RAG retrieval, tool-call dispatchPython/FastAPI (LangChain/LangGraph ecosystem)
api-searchElasticsearch/OpenSearch query layerGo
workersAsync background jobs (export, email, webhook delivery, ETL)Go
realtimeWebSocket fan-out, presenceGo (centrifugo or hand-rolled)
webNext.js SSR (on Vercel, not in EKS)TypeScript

See microservices-patterns for the decomposition reasoning.

5. Data layer

5.1 OLTP primary database

  • PostgreSQL 16 on AWS Aurora PostgreSQL — managed, ~30% cheaper than DIY RDS, native read-replica scaling, zero-downtime patching, point-in-time restore.
  • Cluster: 1 writer + 2 readers, r7g.2xlarge (8 vCPU, 64 GB RAM) Year 1. Scale to db.r7g.8xlarge or sharded with Citus by ~$10M ARR.
  • pgvector extension for embeddings (HNSW indexes, m=16, ef_construction=64 baseline). See rag-embeddings-vector-search.
  • RLS policies on every tenant-scoped table; CI test asserts no query bypasses RLS without explicit bypass_rls role.
  • Backup: continuous via Aurora to S3; weekly logical pg_dump archived to glacier; quarterly DR-restore drill.

See database-internals.

5.2 Cache + queue

  • Redis (ElastiCache Serverless) for cache + ephemeral state + rate-limit counters. Serverless tier auto-scales; pay per RPU.
  • SQS (queues) + EventBridge (cross-service events) for async — preferred over Kafka at Year 1 (Kafka adds 2 ops engineers worth of complexity). Move to MSK (managed Kafka) at ~$10M ARR when fan-out + replay matter.
  • S3 for blob storage; lifecycle rules to Glacier after 90 days for tenant exports.

5.3 Analytics + warehouse

  • Snowflake for warehouse (~$20-150K/yr Year 1). Fivetran or Airbyte to land Postgres CDC + Stripe + Salesforce + HubSpot data into raw schemas; dbt Cloud for transforms. See sql-nosql-design.
  • Why Snowflake over Databricks / BigQuery: most B2B SaaS customer-success teams know SQL not Spark; usage-based pricing fits volatile B2B workload better than BigQuery’s slot model at small scale. Revisit at >$50M ARR.
  • Tenant analytics surfaced in-app: pre-aggregated rollups in Postgres (materialized views, refreshed via pg_cron) or ClickHouse Cloud for high-cardinality dashboards.
  • OpenSearch (AWS managed) for product search + log search. ~$800-3,500/mo. Elastic abandoned in 2021-2024 due to license drama; the OpenSearch fork stabilized.
  • Tantivy / Meilisearch / Typesense considered for typeahead — Typesense Cloud easier and ~$50-500/mo.

6. AI/ML layer

6.1 Model strategy

  • Anthropic Claude (Sonnet 4.7, Opus 4.7) as primary frontier model via Anthropic API + AWS Bedrock failover. OpenAI GPT-4.x as secondary (avoid hard lock-in to one provider).
  • Open-source weights (Llama 4, Qwen 3, Mistral Large) self-hosted on Modal or RunPod for cost-sensitive bulk tasks (classification, summarization at >1M req/day where API spend would exceed $50K/mo).
  • Embeddings: OpenAI text-embedding-3-large (3,072 dim) or Voyage AI voyage-3-large; stored in pgvector. See rag-embeddings-vector-search.
  • Speech: Deepgram or AssemblyAI for transcription; ElevenLabs or Cartesia for TTS — only if voice is a feature.

6.2 Application architecture

  • Prompt assembly in api-ai service: system prompt + tenant-config-injected context + RAG-retrieved chunks + tool-definitions.
  • Tool-use / agents: tools defined in OpenAPI, executed in api-core with full tenant-RBAC enforcement; LLM call returns a tool-call, api-ai dispatches to internal endpoints, observes result, recursive call.
  • Retrieval pipeline: ingest chunk (semantic chunking, 500-1500 tokens with overlap) embed upsert to pgvector. Query-time: hybrid BM25 + vector with reciprocal-rank fusion, then rerank with Cohere Rerank 3 or Voyage rerank-2 (top 50 → top 10).
  • Evaluation: Braintrust, Langfuse, or self-hosted Phoenix (Arize) for trace + eval datasets. Manual + LLM-judge eval per release on a frozen 200-prompt golden set. See prompt-engineering-agent-systems.

6.3 Safety + cost

  • Prompt-injection defense: structured tool-input parsing, no untrusted-data execution paths, output filtering for secret-token shapes.
  • Cost guardrails: per-tenant LLM spend cap (set in billing engine), Bedrock cross-account guardrail policies, model fallback ladder (Opus → Sonnet → Haiku → cached completion).
  • PII handling: pre-redaction via Microsoft Presidio + custom regex pipeline; tenant-config toggle for “send raw to LLM”.

7. Identity, authentication, authorization

7.1 Auth provider

  • Auth0 (1,500-7,000/mo at scale) OR Clerk (125/mo + per SSO connection) for SAML/OIDC/SCIM.
  • For B2B SaaS targeting mid-market+, WorkOS is the strongest fit: pricing scales linearly with enterprise SSO connections, SCIM is first-class, audit-log export is built in. Auth0 is heavier and harder to leave once embedded.
  • Self-hosted alternatives (Keycloak, Ory Kratos, SuperTokens): rejected for Year 1 — auth bugs are existential, and an in-house team takes 3-6 engineer-months to ramp securely.
  • See auth-authz.

7.2 Session + token model

  • Short-lived JWT access tokens (15 min) signed RS256 with rotating keys (JWKS published at /.well-known/jwks.json).
  • Refresh tokens stored in HTTP-only Secure SameSite=Lax cookies; sliding-expiration 30 days.
  • API keys per tenant for programmatic access; hashed at rest with HMAC-SHA-256, prefix shown in UI for identification (“sk_live_…“).

7.3 Authorization

  • Role-based + attribute-based hybrid via OpenFGA (Auth0’s fork of Google Zanzibar) or Permify. Resource model: tenant → workspace → object → role. Permissions checked at API boundary AND row-level (via Postgres RLS).
  • Tenant admins manage their own RBAC via in-app UI; system admin scopes are immutable in code.

8. Billing and revenue ops

8.1 Billing platform

  • Stripe Billing as billing engine. ~2.9% + 5; invoicing for net-30 + enterprise terms.
  • Subscription management directly in Stripe via the JSON API + Stripe Customer Portal embedded.
  • Metronome ($1.5-5K/mo + take-rate) for usage-based metering if pricing includes per-event consumption (LLM tokens, API calls). Otherwise direct usage records in Stripe.
  • Maxio (Chargify) or Ordway considered for complex CPQ; rejected Year 1 (over-engineered).

8.2 Revenue stack

  • Salesforce + HubSpot (depending on GTM maturity). Most pre-Series-B SaaS run HubSpot ($1,200-15,000/mo); Series-B+ migrate to Salesforce.
  • Outreach / Salesloft for sales engagement; Apollo.io for prospecting.
  • CPQ: Stripe Quote → Stripe Invoice; no Salesforce CPQ Year 1.
  • Revenue recognition: Stripe Revenue Recognition module (ASC 606 compliant out-of-box) feeds NetSuite or QuickBooks. See accounting-foundations.

8.3 Payment risk

  • Radar (Stripe’s fraud engine) for card transactions.
  • Sift or Forter Year 2 if self-serve SMB grows and chargeback rate >0.5%.

9. Observability

9.1 Stack choice — Datadog vs OTel-native

Two paths:

PathCost Year 1ProsCons
Datadog all-in$50-180K/yrFastest setup, integrated APM+RUM+logs+infraLock-in; egress-pricing surprise at scale; agent CPU cost
OTel + Grafana Cloud or self-hosted$20-80K/yrStandards-based (OTLP), portable, cheaper at scaleMore integration work; SRE time

Recommendation Year 1: Datadog (20K/mo. Keep APM on Datadog longer. See observability-stack.

9.2 Instrumentation

  • OpenTelemetry SDK in every service (Go + Python + TS), OTLP exporter routed to Datadog OTel collector. Vendor-neutral instrumentation now de-facto standard; portable.
  • Structured logs: zerolog (Go), structlog (Python), pino (Node); JSON to stdout, scraped by Vector or Datadog agent.
  • Metrics: Prometheus-style histograms; per-tenant labels gated by cardinality budget (no user_id labels — explodes cardinality).
  • RUM (real user monitoring): Datadog RUM or Sentry — for frontend Core Web Vitals + JS error tracking.

9.3 SLOs

  • API gateway p95 latency < 500 ms / 99.5% error-free over 28 days.
  • LLM endpoint p95 < 8 s, error rate < 2%.
  • Background job latency p99 < 60 s for user-facing tasks; < 15 min for daily batch.
  • Burn-rate alerts at 2% and 5% budget consumption per 1 hr and 6 hr windows.

10. CI/CD and developer experience

10.1 Pipeline

  • GitHub Enterprise Cloud ($21/user/mo) for source + actions. Branch protection requires 2 reviews + CI green + signed commits.
  • GitHub Actions for CI: build + lint + unit test + integration test (testcontainers-go, dockertest, ephemeral Postgres) + container build + sign with cosign + push to ECR.
  • ArgoCD on EKS for GitOps deploys: main staging auto, manual approval prod. ApplicationSets for per-tenant silo deploys.
  • Trunk-based development with short-lived feature branches. Atlas (Ariga) or pgroll for online Postgres schema migrations.

10.2 Environments

  • dev — local Docker Compose + ngrok webhook tunneling
  • preview — ephemeral per-PR namespace in staging EKS, with seeded test tenant; teardown after 7 days
  • staging — full-fidelity replica of prod, real auth (separate tenant), sanitized PII-free data refresh nightly
  • prod — multi-AZ, multi-region eventually

10.3 Feature flags

  • LaunchDarkly ($600-3,000/mo) or Statsig (lower price + experimentation built in) or self-hosted Unleash.
  • Every new feature ships behind a flag; gradual rollout 1% → 10% → 50% → 100% with kill-switch.

10.4 Secrets

  • HashiCorp Vault (HCP managed, $0.30-1.50/secret-hr) or AWS Secrets Manager for runtime secrets.
  • Doppler or Infisical for developer-day-1 secret syncing.
  • No secrets in .env files in git; pre-commit hook scans with ggshield or trufflehog.

11. Security perimeter

11.1 Network

  • Cloudflare in front of everything: DNS + DDoS + WAF + Bot Management. ~$200-2,000/mo Pro/Business; Enterprise plan negotiable.
  • AWS WAF as second-line on ALB; CloudFront in some scenarios for static caching.
  • VPC architecture: 3-AZ in us-east-1 + eu-west-1. Private subnets for compute; NAT gateways with regional egress IP allowlists; transit gateway for cross-region. PrivateLink endpoints for AWS services (no NAT data charges).

11.2 Content security

  • CSP header strict — no unsafe-inline, nonce-based script tags via Next middleware.
  • HSTS preload-listed (max-age 1 year + includeSubDomains + preload).
  • CORS locked to app.{tenant}.{rootdomain} patterns; no *.
  • CSP report-uri to Sentry or csp-collector.

11.3 Application

  • OWASP Top 10 baseline; SAST via Semgrep + GitHub Advanced Security; SCA via Dependabot + Snyk or Mend.
  • SBOM generated on every container build via Syft; signed with cosign; pushed to OCI registry.
  • Container scan with Trivy in CI + Amazon ECR scan on push.
  • Secret scanning: GitGuardian for org-wide pre-commit + post-push.

11.4 Pen testing + bounty

  • Annual third-party pen test (HackerOne pentest service, Bishop Fox, NCC Group) ~$30-80K.
  • Public bug bounty (HackerOne or Bugcrowd) ~$30K-150K/yr in bounties at Year 2-3.

12. Compliance pathway

12.1 SOC 2 Type II

  • Vanta or Drata ($15-40K/yr) for evidence collection + control monitoring + auditor liaison.
  • Audit firm: Prescient Assurance, A-LIGN, or Schellman (35-80K Type II).
  • Timeline: Type I in 3-6 months (point-in-time); Type II in 9-12 months (continuous evidence over 6-month observation window).
  • Trust Services Criteria: Security required; Availability + Confidentiality strongly recommended for SaaS; Processing Integrity + Privacy if relevant.

12.2 GDPR

  • DPA (Data Processing Agreement) template ready Day 1, signed with each EU customer.
  • SCCs (Standard Contractual Clauses, EU 2021/914) for transfers; or EU-US Data Privacy Framework (DPF) registration if processing EU PII in US.
  • DSR (Data Subject Rights) tooling: export, delete, rectify endpoints exposed in API + admin UI. Most SaaS use Transcend or DataGrail ($15-50K/yr) for the request-handling workflow.
  • EU data residency: separate eu-west-1 deployment with EU-only customer routing; no replication to US for those tenants.

12.3 HIPAA (Year 2)

  • BAA (Business Associate Agreement) signed with AWS, Stripe, Datadog (Sensitive Data Scanner add-on), Cloudflare Enterprise. Vercel signs BAA on Enterprise tier only.
  • Anthropic + OpenAI: BAA available; per-customer enablement; logs disabled.
  • Encryption-at-rest mandatory (Aurora KMS, S3 SSE-KMS), encryption-in-transit mandatory (TLS 1.2+; HSTS).
  • HIPAA-eligible tenants placed in silo tier (Section 2) with dedicated AWS account + restricted IAM.

12.4 ISO 27001 + FedRAMP (Year 3)

  • ISO 27001 expands SOC 2 evidence base; cert via BSI or Schellman; ~$60-120K external cost.
  • FedRAMP Moderate: $1.5-5M sponsor-led process via a 3PAO (Coalfire, Schellman, Kratos); 18-30 month timeline; only worth it for govt-adjacent verticals.

12.5 Sub-processor disclosure

Public subprocessors.html page listing every sub-processor (AWS, Stripe, Anthropic, OpenAI, Datadog, Vercel, etc.) — required by GDPR Art 28; expected by every Enterprise procurement team. Updated 30 days before any addition.

13. Launch CAPEX + Year-1 OPEX

13.1 Pre-launch CAPEX (engineering hours capitalized + setup)

ItemCost
Engineering team (6 FTE × 8 mo to GA × $14-18K loaded mo)$750,000
Design + frontend (2 FTE × 6 mo × $13-16K)$180,000
Security + compliance bootstrap (consulting + Vanta + first Type I audit)$85,000
Logo / brand / marketing site / launch content$40,000
Initial vendor commits + non-refundable retainers (Snowflake credit, AWS)$60,000
Legal (ToS, DPA, MSA, privacy policy, IP filings)$35,000
Office tooling (Linear, Notion, Figma, GitHub, 1Password) Year 1$24,000
Pre-launch capitalized total~$1,174,000

The “245K. Most SaaS founders quote the lower bound; the fully-loaded number (including burn-equivalent engineering) is materially higher.

13.2 Year-1 OPEX (200 tenants exit)

LineAnnual cost
Infrastructure (AWS EKS, Aurora, ElastiCache, S3, transit)$180,000
Vercel + Cloudflare + edge$48,000
LLM API spend (Anthropic + OpenAI + Voyage)$260,000
Snowflake + Fivetran + dbt Cloud$95,000
Datadog (APM + Logs + RUM)$120,000
Auth0/WorkOS + Stripe (no separate cost line beyond rev-share)$42,000
Vanta + audit firm Type II$58,000
Email/SMS (Resend, Twilio, Postmark transactional)$14,000
SaaS tools (Linear, Notion, Figma, GitHub, 1Password, Slack) for 30 staff$95,000
Security tooling (Snyk, Semgrep Pro, GitGuardian, HackerOne)$48,000
Insurance (cyber + E&O + D&O)$85,000
Legal + accounting + R&D tax credit prep$120,000
Engineering headcount Year 1 (15 FTE blended $230K loaded)$3,450,000
GTM headcount (8 FTE blended $190K loaded)$1,520,000
Operations + finance + people (5 FTE blended $170K)$850,000
Marketing programs + paid acquisition$400,000
Conferences + travel$80,000
Total Year-1 OPEX~$7,465,000

At 1-3M MRR), most B2B SaaS burns $3-5M Year 1 net of revenue.

14. Risk register

  • AWS region outage — multi-AZ helps, multi-region required for 99.95% SLA. us-east-1 has had material outages (Dec 2021, Jun 2023, Dec 2024).
  • Vendor concentration: Vercel + Anthropic + AWS + Stripe — failure of any one impacts product. Pre-negotiated fallback contracts.
  • LLM API rate limits + pricing changes — Anthropic and OpenAI both raised + cut prices in 2024-2025; build a routing layer (LiteLLM, OpenRouter, or in-house) from Day 1.
  • GPU supply — if self-hosting models, H100/H200 capacity is gated by allocation queues; Modal, Together, RunPod, Lambda Labs provide elasticity but with markup.
  • Compliance creep: HIPAA + FedRAMP each adds ~$500K-2M/yr loaded engineering + audit cost. Don’t accept these in MSA term sheets without pricing it.
  • Data residency politics: EU-US DPF could be invalidated again (Schrems III pending CJEU 2026); plan EU silo from Day 1, not retrofit.
  • AI hallucination liability: explicit ToS limitation, customer-side review workflows for any external-facing generated content, internal eval gates on accuracy-critical surfaces.
  • Founder/team key-person: maintain CISO + DPO designated roles even when CEO wears the hat early; both become audit-required at SOC 2 Type II and GDPR scale.

15. GTM and launch sequencing

15.1 Pre-launch (months -6 to 0)

  1. Design partner cohort: 8-15 customers at $0 or 50% discount in exchange for product feedback + case studies. NDA + LOI signed.
  2. Closed beta — feature-flag-gated, invite-only via Stripe Checkout link in waitlist confirmation.
  3. SOC 2 Type I audit started month -3, completed month 0.
  4. Documentation site (Mintlify, Docusaurus, ReadMe) — API reference, getting-started, integration guides, security overview.
  5. Trust Center (Vanta Trust Report, SafeBase, Drata Trust Center) — public surface for security posture.

15.2 Launch (month 0)

  • Product Hunt + Hacker News + LinkedIn coordinated post.
  • Founder podcast / interview circuit (Lenny’s Newsletter, Acquired, 20VC).
  • 3-5 customer case studies published Day 1.
  • Pricing page live with self-serve start (no credit-card-free signups — drives 10× signup volume but tanks conversion + creates abuse vector).

15.3 Post-launch (months 1-12)

  • ICP refinement via cohort analysis (which tenants convert + expand?).
  • Outbound SDR program once $1M ARR.
  • Partner ecosystem: integration directory with HubSpot, Salesforce, Slack, Microsoft Teams, etc.
  • Series A fundraise once metrics support: 35M @ 250M @ 200M @ $13B.

16. Adjacent

Graph View

Backlinks