Overview
Rendum is multi-tenant by design. Every payer rule, contract, member roster, billing run, audit event, and user account is scoped to a single Tenant row in the database. Cross-tenant access is impossible by construction.
Identity
Your tenant name is shown on every page and on customer-facing emails. Your tenant slug is the URL fragment that routes to your SSO callback. The slug is not changeable after initial setup without coordinated infrastructure work — contact support for a slug rename.
Time zone
The default time zone is used for:
- Billing-month boundaries (May 2026 charges = May 1 00:00 to May 31 23:59 in your time zone).
- Audit-trail display (each row shows the actor's local time, derived from your tenant default).
- Scheduled job firing (eligibility ingestion cron, billing-run scheduler).
Mid-month changes do not re-bucket already-processed events; consult support before changing once production is live.
Encryption-key custodianship
PHI data (member demographics, MBI, diagnosis codes) is encrypted at rest using a tenant-scoped key. Key lifecycle:
- Generated when the tenant is provisioned.
- Stored in Azure Key Vault under the tenant-specific secret name.
- Rotated annually on the tenant anniversary (configurable).
- Never visible in the SPA, never logged, never serialized in API responses.
The "Rotate encryption key now" button kicks off a coordinated re-encryption job. Allow up to 24 hours for the rotation to complete on a tenant with > 100,000 member records.
Retention windows
- PHI-retention months — default 84 (HIPAA-aligned 7 years). Controls when soft-deleted member records become eligible for hard purge.
- Audit-log retention months — default 84. Audit chain is append-only; hash chain is preserved even after rows age out.
- Billing-decision retention months — default 120. Decisions need to be replayable for the chargeback window plus statute of limitations.
Lowering any window does not retroactively delete data — it only changes the threshold at which the next nightly purge job considers a row eligible.
Cohort benchmarks opt-in
Pro tier and above. Lets your tenant compare its NPS / friction / leakage metrics against an anonymised peer cohort. Participation is opt-in only.
Compliance note: opting OUT clears the opt-in boolean but PRESERVES the historical opt-in-at timestamp, so the audit trail can answer "was this tenant ever opted in, and when?" for compliance reviewers.
Read replicas (Enterprise)
Enterprise-tier tenants can configure a Postgres read replica region. Read-heavy endpoints (rosters, audit search, decision replay) route to the replica when configured. The screen surfaces the replica region selector, the replication-lag indicator, and a Force-failover button for incident response.
Org units
A Tenant may be partitioned into Org Units (regions, lines of business) for RBAC. Org Units are configured separately (see Chapter 2); the Tenant Configuration screen exposes only the "Enable Org Units" toggle.
Data residency
Currently all tenant data is stored in US-East. EU residency is on the roadmap; an EU-resident tenant requires manual provisioning today. Contact support before signing a contract that requires EU residency.
Tenant deactivation / offboarding
Not self-service. The offboarding workflow includes a final data export, a customer-signed retention waiver, and a finance reconciliation step. Initiate via the support portal.
Audit footprint
Every change you make on the Tenant Configuration screen writes an audit-trail row tagged RESOURCE: tenant, with the previous and new values diffed.