Product Journal: Building High-Performance Document Collection & Multi-Tenant Security
An inside look at how we engineered our secure SOC2-compliant Document Vault and Mongoose multi-tenant isolation sandbox to guarantee complete data privacy for firms.
Synthara Engineering Team
Author, FinPilot DeskProduct Journal: Building High-Performance Document Collection & Multi-Tenant Security
Welcome to the first edition of the FinPilot Product Journal. As an engineering-first company, we believe in sharing our technical design decisions, architecture patterns, and the hard engineering challenges we solve as we build the modern operating system for Chartered Accountant firms.
In this update, we dive deep into two core systems we recently finalized: 1. Mongoose Multi-Tenant Isolation Sandbox (the foundation of our data privacy model). 2. Our Automated, High-Performance Document Collection Pipeline.
1. Engineering absolute Tenant Isolation in MongoDB
Chartered Accountant firms handle highly sensitive corporate records, including tax ledgers, bank transactions, and payroll files. In a multi-tenant SaaS ecosystem where thousands of firms share a database cluster, data leakage between tenants is the ultimate failure mode.
To prevent this, we built a strict, non-bypassable tenant isolation layer at the database level:
// Example: Strict multi-tenant schema isolation enforced in MongoDB
const BusinessSchema = new Schema({
firmId: {
type: Schema.Types.ObjectId,
ref: "Firm",
required: true,
index: true // Guarantees fast filtered queries
},
// ... other business fields
});Instead of trusting the client application to supply the correct tenant ID, our API routes completely disregard any tenant parameters sent from the frontend. Instead:
1. We intercept every incoming request and validate the user's JWT session via NextAuth.js.
2. We derive the authorized firmId directly from the user's database-backed session.
3. We append this firmId as an immutable parameter in all database queries and update operations.
By shifting tenant enforcement to server-side query filters, we guarantee that no firm can ever access, modify, or even inspect the data of another firm—achieving a bulletproof operational security posture.
2. Solving the Document Collection Bottleneck
The primary bottleneck in compliance filing is document ingestion. Associates waste hours asking clients for files, renaming messy uploads (like IMG_4210.jpg to BankStatement_March.jpg), and categorizing files.
We engineered a structured Document Vault that automates this workflow:
- Dynamic File Request Lists: When a compliance workflow starts, the system creates a list of required documents based on the client's corporate structure (e.g., LLP vs. Private Limited).
- Metadata-Linked Storage: Uploaded documents are stored in secure buckets with strict metadata tags, linking them to specific tax periods, compliance folders, and audit files.
- In-Browser Encrypted Previews: Partners and associates can preview PDFs, spreadsheets, and image receipts instantly inside the FinPilot app without downloading unencrypted files onto their local drives.
By enforcing structure at the point of ingestion, we reduce file categorization overhead by up to 80%, saving hours of administrative work every week.
Next on our Roadmap: The Automated Reconciliation Engine
With security and document pipelines solidly in place, our engineering team is turning its attention to the GSTR-2B vs. GSTR-3B Input Credit Matching Engine. This system will automatically reconcile invoice sheets against government portal downloads, automatically highlighting unmatched rows in red before filing.
Stay tuned for more updates as we push the limits of financial software performance.
— The Synthara Engineering Team