The Swarm Model: a multi-tenant CRM that combines client data without breaking client trust

Why traditional agency CRMs hit a ceiling at $1M+

Most agency CRMs (HighLevel, Vendasta, DashClicks) treat each sub-account as an island. Client A's data lives in client A's workspace. Client B's data lives in client B's workspace. The agency owner can switch between workspaces, but the patterns inside one client's funnel never inform another's. That works fine when an agency is doing a few clients on autopilot. It breaks down the moment the agency tries to scale past 20-30 retainer clients, or starts running clients with $50k-$500k/month ad spend.

The bottleneck is learning. Every new client onboarding starts from scratch — same survey, same audit, same hypothesis testing — even though the agency has already won (or lost) similar fights ten times before across other clients. The agency owner ends up being the only person with the cross-client memory, and that memory is brittle, vibes-based, and impossible to delegate.

What the Swarm model actually is

The Swarm is Inflowave's optional cross-tenant intelligence layer. When you opt in for a client, anonymised behavioural signals from that client's IG DMs, calls, emails, SMS, Zoom transcripts, and ad performance flow into a shared analytics pool, with strict tenant isolation enforced at the database level. The patterns surface back to your agency dashboard so the next time a similar prospect lands in any client's funnel, your team already knows what closes and what fails.

The signals that get pooled are deliberately abstract — not raw messages, not contact PII, not anything that could de-anonymise a lead. What gets pooled:

• DM-to-call conversion rates per niche, lead source, and ad creative
• Objection patterns (clustered by similarity, not raw text)
• Time-to-response benchmarks segmented by deal size
• Voice-call sentiment trends (positive / hesitant / objection / closed)
• Email open + reply benchmarks per industry, deal stage, and follow-up cadence
• Ad creative performance correlated to actual closed-won revenue (not just CPL)

What does not get pooled: contact names, phone numbers, email addresses, raw DM bodies, ad account IDs, or any field that could re-identify a specific lead or client. The Swarm sees patterns, never identities.

How tenant isolation actually works

Inflowave is built on Supabase Postgres with row-level security (RLS) enabled on every table. Every multi-tenant table has a tenant_id column and a deny-by-default RLS policy — service role can read everything; authenticated users can only read rows where tenant_id matches their session's agency_client_id (resolved from the JWT).

When the Swarm aggregates a signal, the aggregation runs server-side via a SECURITY DEFINER function that:

1. 1Reads raw events from each opted-in tenant
2. 2Strips identifying columns (contact_id, agency_client_id, account_id, etc.)
3. 3Bucketises into anonymised cohorts (industry, deal-size band, time-of-day band)
4. 4Aggregates with k-anonymity ≥ 5 (no insight surfaces unless 5+ tenants contribute)
5. 5Writes back to a shared swarm_insights table that is read-only at the agency tier

The k-anonymity floor means a single client can never be re-identified from a Swarm insight, even by an agency owner who has direct access to that client. Insights only surface once the underlying cohort has at least 5 contributing tenants.

RBAC: who in the agency can see what

Inflowave has full role-based access control across four tiers: agency owner, manager, rep, and VA. Each tier can be scoped to specific clients, specific Instagram accounts, specific pipeline stages, or specific data types (e.g. a VA can see DMs but not financial records).

For Swarm specifically:

• Agency owner: full Swarm dashboard, can opt-in/opt-out clients, can drill into cohort-level patterns
• Manager: cohort-level patterns for their assigned clients only
• Rep: gets AI-suggested next actions powered by the Swarm, but does not see raw cohort data
• VA: zero Swarm access by default (can be granted per-client at owner discretion)

Every Swarm read is audit-logged with the user, timestamp, and queried cohort. The audit log is immutable and exportable for SOC2 and ISO 27001 compliance reviews.

Real example: how a 7-figure agency uses the Swarm

A US-based agency running 47 retainer clients (predominantly online coaches and course creators in the $50k-$500k/year range) uses the Swarm to answer three questions every week:

1. Which DM opener converts best for a new niche?

When onboarding a new client in, say, women’s health coaching, the Swarm shows the agency the DM opener templates that out-performed the cohort average for similar niches. The agency starts the new client at a higher baseline conversion than they would have cold.

2. Which objections kill deals at $5k-$20k AOV?

Across all 47 clients, the Swarm clusters objections that appeared in lost deals at that price band. The agency uses the cluster to script better discovery calls + create dedicated objection-handling content for the next month.

3. Which ad creative drives the highest closed-won ROAS, not just CPL?

Most ad reporting stops at cost-per-lead. The Swarm correlates ad creative across the cohort to actual closed-won revenue (DM-to-call-to-paid attribution baked in). The agency rotates the team's creative testing budget toward formats that the Swarm shows actually convert.

Encryption + key separation

Beyond RLS, Inflowave uses per-client encryption keys for sensitive fields (raw DM bodies, voicemail recordings, lead PII, voice-clone audio). The keys are derived per-tenant via a Google Secret Manager–backed KMS and are never co-located in a single decryptable form on disk. Even a hypothetical full-database breach would yield encrypted blobs the attacker cannot decrypt without the per-tenant keys, which live in a separate trust zone.

The Swarm aggregation pipeline operates on metrics derived from decrypted-in-memory rows; it never persists decrypted data outside the tenant boundary. The encrypted-at-rest guarantee is preserved end-to-end.

When the Swarm is NOT the right fit

The Swarm is opt-in per client and not on by default. It is genuinely useful for agencies running 10+ similar clients in adjacent niches. It is overkill for:

• Solo creators with one Instagram account (just use the regular CRM)
• Agencies under 5 retainer clients (the cohort math does not yet pay off)
• Agencies serving wildly different niches (the patterns do not transfer cleanly)
• Clients under strict NDA or legal-review requirements (default to opt-out for those)

Even with Swarm enabled, every individual client can opt out at signup, and existing clients can withdraw their tenant from the pool at any time. Withdrawal forces a 30-day re-aggregation purge so historical contributions do not linger.

How to enable the Swarm for your agency

1. 1Open Inflowave → Agency settings → Swarm
2. 2Review the Swarm policy doc (covers what data is pooled, what is not, and the legal basis)
3. 3Pick which existing clients to enable (we recommend starting with 5+ clients in adjacent niches)
4. 4For each client, your team confirms or skips the opt-in (you'll send them a one-page disclosure)
5. 5Wait ~7 days for the first cohort insights to populate
6. 6Visit /agency/swarm in your dashboard to see DM, voice, email, and ad cohort metrics