I am building a SaaS application in node.js and want to use MongoDB for a database with the Mongoose ODM. I will need to support multiple customers, between hundreds and thousan
Not an easy answer because a lot depends on your app architecture, usage and query patterns, the distribution among clients (ie: will the usage levels be roughly the same across clients, or could you have 10% of the clients using 90% of the resources), how much you can spend on code vs ops management and a whole host of other issues. Here are some things to consider:
1) having one database will make your ops management easier, require less computing resources, and may allow you to scale out better, but coding the access layer will be more difficult and you really have to architect your security layer well for obvious reasons. You'll also consume less resources on the client/webserver end since there will be many fewer connections.
There are two popular schema options when approaching one monolithic database:
2) the database per client option will give you more ops management headaches and cost more as you will need more more computing resources. On the other hand, your coding costs should be less as the code will be easier to write. It will also allow you to better distribute your resources between heavy and light users. For example, you can move heavy usage clients to more powerful machines and provide sharding on a per customer basis.
3) you could provide a combo of the two options - dedicated databases for high end users (accounts that pay more), and then a shared database with data separated by collection for low-end clients and test/freemium accounts.
Note that if you do go the many database route, you should look into the --smallfiles startup option. This will help you with situations where you have a lot of people setup "test accounts" but who don't do very much with them.
Anyway, hopefully the above gives you food for thought. Do a search on https://groups.google.com/forum/?fromgroups#!searchin/mongodb-user/multitenant as there have been a number of discussions in the Mongo forums on this specific issue.
As for the audit implications, depends what level of auditing compliance you need to adhere to. If you expect fortune 1000 clients, your compliance requirements will be far higher (and way more costly - think $10s to $100s of thousands of dollars), than if your clients are startups who may never have heard of SAS70, etc. The answer also depends on what type of data you are storing - is it user financial data, or is it just user forums? Basically, if there are any concerns about needing to pass security audits for large companies in the future, don't even think of the shared database approach.