Building a Secure Multi-User CRM SaaS with Supabase & Retool (for UK SMEs)
Source: Dev.to
The real problem with traditional CRMs for SMEs
Many mainstream CRMs are:
- Built around sales pipelines rather than operations
- Difficult for non‑technical teams to use
- Overloaded with features small teams don’t need
- Expensive when scaled across multiple users
As a result, many SMEs continue to operate with spreadsheets despite the risks around data consistency, access control, and scalability.
My goal was to build a workflow‑first CRM that:
- Centralises operational data
- Supports multiple internal users securely
- Remains simple and cost‑effective
Why I chose Supabase & Retool
Supabase (PostgreSQL + Auth + RLS)
Supabase provides a managed PostgreSQL database with built‑in authentication and Row‑Level Security (RLS). This makes it ideal for SaaS systems where data protection must be enforced at the database level, not just in the frontend.
Key reasons for choosing Supabase
- Native PostgreSQL (strong relational modelling)
- Row Level Security for fine‑grained access control
- Simple authentication integration
- Scales well for production systems
Retool (frontend & internal tools)
Retool allowed me to rapidly build:
- Role‑based dashboards
- Internal tools for business users
- User‑friendly interfaces for non‑technical teams
This combination made it possible to move fast without compromising security.
High‑level architecture
Users
↓
Retool (frontend dashboards & workflows)
↓
Supabase (Auth + RLS)
↓
PostgreSQL databaseThe most important design principle was that security rules live in the database, not just in the UI.
Database‑per‑client isolation
Instead of a shared multi‑tenant database, I chose a database‑per‑client model:
- Each client has a separate Supabase project/database
- This significantly reduces cross‑tenant risk
- It simplifies access control and compliance concerns
Within each client database, user access is still strictly controlled using RLS policies tied to authenticated users. This approach is especially suitable for early‑stage SaaS platforms serving SMEs with strong data isolation requirements.
Implementing secure multi‑user access with RLS
One of the most important technical aspects was enforcing user‑scoped access using Row Level Security. Rather than trusting frontend logic, access rules are enforced directly in PostgreSQL.
-- Users can read their own orders
CREATE POLICY "Users can read their own orders"
ON public.orders
FOR SELECT
USING (user_id = auth.uid());This ensures:
- Users can only access their own records
- Even if the frontend is bypassed, data remains protected
- Security remains consistent across all tools and queries
This pattern is critical for any SaaS handling sensitive business data.
Designing a practical CRM schema
The database schema was designed around real operational workflows, not generic CRM concepts. Core entities included:
- Customers
- Orders
- Scheduling / dates
- Users and roles
The focus was on:
- Clear relationships between entities
- Avoiding duplicated data
- Supporting future feature expansion
A relational design made it easier to maintain data integrity and evolve the product over time.
Lessons learned building for real businesses
- Simplicity beats features for SME adoption
- Security must be invisible but reliable
- Business owners care more about clarity than dashboards
- Rapid iteration based on feedback is a competitive advantage
Many decisions were guided by direct conversations with business owners rather than assumptions.
Scalability & future improvements
The system was designed to scale gradually by:
- Adding new workflow modules
- Enhancing reporting and analytics
- Introducing customer‑facing portals
- Automating repetitive operational tasks
Because the core architecture is modular, these improvements can be introduced without redesigning the system.
Final thoughts
Building secure SaaS products for SMEs doesn’t require enterprise complexity — but it does require thoughtful architecture and strong security foundations.
By combining:
- PostgreSQL + RLS (Supabase)
- Rapid frontend tooling (Retool)
- Workflow‑driven product design
it’s possible to deliver production‑grade systems that genuinely improve how small businesses operate. This approach has allowed me to deliver a secure CRM SaaS platform currently being adopted by UK businesses, and the same patterns can be reused across many SME‑focused digital products.