Isolation enforced at the row, not the app
Every tenant's data is fenced by row-level security in the database. A sub-brand cannot see another sub-brand's inventory, orders, or invoices, even if the application has a bug. The boundary lives in the database.
Customer-scoped whitelabel portal
Each downstream brand gets a read-only portal showing only their inventory, their orders, their invoices. Joined to the parent by row-level security, so the parent sees everything and each tenant sees only itself.
Runtime branding per tenant
The portal renders each sub-brand's branding at runtime. One deployment, hundreds of branded experiences. No per-tenant builds, no separate instances to keep patched.
One chassis, every tenant
Onboard a new sub-brand as a record, not a migration. No new database, no new server, no per-tenant copy of the app to maintain. The parent's whole network runs on one chassis.
Per-customer billing and statements
Invoice each sub-brand on its own terms, with statements and payment allocations scoped to that tenant. The parent sees the consolidated roll-up; each brand sees only its own ledger.
Audit that survives the hierarchy
Every action across every tenant lands in the same tamper-evident, hash-chained audit log. Forensic-grade across the whole network, queryable by parent or by tenant.