Why two databases? Isn't one of Supabase or Mongo enough?

Postgres (Supabase) for typed, related data — orgs, users, billing, audit. Mongo for variable-shaped agent outputs and the content corpus. Each plays to its strengths; trying to force one would break the other.

How is multi-tenancy enforced?

Supabase Row-Level Security policies on every typed table; org-scoped collection paths on Mongo. Both checked at the API gateway and the data layer — defence in depth, not single-layer trust.

Will the audit log survive a real legal review?

The schema is designed for it — append-only, per-action, with full input/output capture and tamper-evident timestamps. Tested against GDPR data-subject-access requests in production engagements.

Platforms

BOAI

AI-first backoffice.

The boring-but-vital layer — orgs, personas, assets, leads, billing, audit, deploys. Built so every workflow has a place to live and every output gets logged.

Personas, assets, leads, and billing — unified in one data model
Audit log over every agent action — legal-grade schema from v1
Multi-tenant from day one: one BOAI serves every client account
Supabase + MongoDB as the spine: Postgres for structured, Mongo for flexible

Why

Every agent action produces an output that needs a home — a persona, an asset, a log entry, a billing event. Without the backoffice, those outputs pile up in Slack and spreadsheets and disappear.

How

Supabase + MongoDB data spine: structured data in Postgres, flexible outputs in Mongo
Multi-tenant org model with role-based agent access from day one
Audit log schema designed to survive legal review — every action, every output

Proof

Data stores: Supabase · MongoDB
Tenancy model: multi-tenant from v1
Audit schema: legal-grade

BOAI — multi-tenant backoffice spine

Org × five surfaces, two stores

Hover or tap a node to see details.

FAQ

Why two databases? Isn't one of Supabase or Mongo enough?: Postgres (Supabase) for typed, related data — orgs, users, billing, audit. Mongo for variable-shaped agent outputs and the content corpus. Each plays to its strengths; trying to force one would break the other.
How is multi-tenancy enforced?: Supabase Row-Level Security policies on every typed table; org-scoped collection paths on Mongo. Both checked at the API gateway and the data layer — defence in depth, not single-layer trust.
Will the audit log survive a real legal review?: The schema is designed for it — append-only, per-action, with full input/output capture and tamper-evident timestamps. Tested against GDPR data-subject-access requests in production engagements.

In production

Multi-tenant from v1
Per-org isolation on Supabase RLS + Mongo org-scoping. Adding tenancy later is the most expensive refactor I know of.
Legal-grade audit
Every action logs input + decision + output + metadata. Audit schema survived regulated-client legal review.
Supabase + Mongo spine
Supabase for typed records and auth; Mongo for flexible agent outputs and content. Right tool per layer.

Talk to Mat See pricing

Platforms

AIOS

The agent operating system.

Industries

Financial Services

Compliance-aware automation that survives audit.

Back to Platforms