Internal · not customer-facing

All-in COGS per customer (incl. SLA, ops, compliance)

AWS eu-west-1 baseline · SLA-driven HA · third-party observability · amortized fixed overhead (SOC2 / pentest / insurance / Vanta) · operational support FTE share. Pure-AWS infra is a small part of true COGS — at low customer count, fixed overhead dominates.
Reading note. "All-in COGS" includes (a) pure AWS infra, (b) third-party SaaS tooling, (c) operational support FTE share, (d) amortized fixed compliance/security overhead. R&D and sales/marketing are not in COGS — those are separate opex categories. The total here is what it costs to run and support one paying customer per month.

Tenant shape

Scale

SLA target 99.9%

SLA target drives Multi-AZ + standby + cross-region replica requirements.

Shared infra

Realistic for paying tenants with SLA: SMB 20-30, Mid 8-15, Enterprise 1-5 (dedicated).
EC2 always doubled — separate AZs for HA. Single-AZ violates 99.9%.

Plan

Customer base (denominator for fixed costs)

Drives the amortization of SOC2 / pentest / insurance / Vanta / DPO. Lower N = each customer carries a bigger share.
SMB / IVIP visibility = light. Mid-market Growth = standard. Enterprise with TAM = heavy.
Pure AWS / mo
€—
infra + storage + egress
Tooling / mo
€—
Datadog, PagerDuty, WAF, Sentry
Ops / mo
€—
eng-FTE share + on-call
Fixed share / mo
€—
SOC2, pentest, insurance, DPO ÷ N
All-in COGS / mo
€—
true cost-to-serve
Plan price / mo
€—
EUR list price
Cost / identity / mo
€—
all-in ÷ identities
Gross margin (incl. SLA reserve)
—%
(price − COGS − SLA reserve) / price

Full COGS breakdown (USD → EUR @ 0.92)

ComponentCalcUSD/moEUR/mo

Scenario comparison (all-in COGS, realistic SLA-driven infra)

Each row picks SLA + RDS class + tenants-per-cluster + ops intensity that match the typical sale shape for that profile. Customer base = 25 active customers (slider drives the fixed-share split, so this column varies if you change it).
Profile Identities Grants Plan / SLA Infra AWS Tooling Ops Fixed All-in Price Margin
How SLA target drives infra (the multiplier you were asking about)

99.5%

  • Single-AZ RDS allowed · single EC2 instance · 7d PITR · best-effort restore
  • Cost floor: ~$40-80/mo shared infra (split across many tenants)
  • Reality: this is what we run on staging today. Not sellable to anyone with a procurement form.

99.9% (SMB / Growth standard)

  • Multi-AZ RDS (×2 cost) · 2× EC2 in separate AZs behind ALB · 30d backup retention · monthly tested restore
  • NAT Gateway per AZ ($35/mo each = $70/mo)
  • WAF on ALB
  • Cost floor: ~$300-500/mo shared infra → ~$15-30/mo per tenant at 15-tenant density

99.95% (Enterprise)

  • Everything above PLUS read-replica · automated failover · CloudWatch synthetics
  • Dedicated cluster typical (1-3 tenants share)
  • Quarterly DR runbook exercise (separate compute cost)

99.99% (regulated / banks)

  • Cross-region warm standby (Frankfurt for Dublin primary) · multi-region S3 replication · sub-minute failover
  • Dedicated cluster, no sharing
  • Real cost: 3-5× pure-AWS line items vs 99.9%
Backup & restore — what we actually pay for
  • RDS automated PITR: 7d included up to 100% of allocated storage. Beyond that: $0.095/GB-mo. At our sizes (<20 GB/tenant), effectively free.
  • S3 pgdump tier (Business / Enterprise): daily logical dumps, compressed ~25%. Retention per CLAUDE.md (30d Standard / 90d mixed IA).
  • Vault snapshot: tiny (~5 MB/tenant compressed), but retention 90d per CLAUDE.md.
  • Tested restore: not pay-once-and-forget. Monthly automated restore-test → ephemeral RDS spinup (~$0.50/run × 30) + storage IOPS during restore + engineer time to verify (~30 min × eng hourly).
  • Cross-region replication (99.99% only): S3 CRR = ~$0.02/GB transfer + 2× storage cost. Adds ~$10-20/mo per tenant.
  • SLA credit reserve: customers expect 10-30% MRR back per hour of downtime past SLA. Industry standard is to reserve ~5% of MRR. Booked as contra-revenue if not used, eaten as cost if invoked.
Third-party SaaS tooling (per-cluster, split across tenants)
  • Datadog APM + Logs: ~$31/host/mo × 2 hosts/cluster + logs $0.10/GB ingest. Per tenant ~$5-15/mo at 15 tenants/cluster.
  • PagerDuty: $21/user × 5 users = $105/mo fixed → split per cluster.
  • Sentry: $26-80/mo team plan, mostly fixed.
  • WAF: $5/mo + $1/M requests + $1/M analyzed.
  • SES: $0.10/1k emails — most tenants <$1/mo.
  • You can drop Datadog and live on CloudWatch alone — saves ~$10/tenant/mo but adds eng time to build dashboards. Not recommended above 99.5% SLA.
Fixed company overhead (the big surprise at low customer count)
  • SOC2 Type II audit: ~€25k/yr (initial €30-40k, then annual surveillance €20k).
  • Annual penetration test: ~€15k for a real one (not a Burp-scan PDF).
  • Cyber insurance: €8-15k/yr for €5M coverage (depends on revenue + SOC2 status).
  • Vanta or Drata: €8-12k/yr for compliance automation.
  • DPO retainer (GDPR Art. 37): €10-15k/yr if outsourced.
  • Legal retainer: ~€8k/yr for DPA reviews, MSA updates, vendor T&C.
  • ISO 27001 surveillance (if pursued): +€15k/yr.
  • Total: ~€80-100k/yr — at 10 customers that's €700-850/mo each. At 100 customers it's €70-85/mo each.
  • This is why startup SaaS gross margin looks bad for the first 24 months: fixed compliance overhead doesn't scale with revenue until you have ~50+ customers.
Operational support — the cost most calculators ignore
  • Light intensity: ~1h eng-support/mo per tenant. Realistic for self-service SMB or IVIP Visibility (read-only, no provisioning ops). At €100/hr loaded cost = €100/mo per tenant.
  • Standard intensity: ~4h/mo per tenant. Mid-market Growth — connector debugging, occasional rule tuning, escalations. = €400/mo per tenant.
  • Heavy intensity: ~12h/mo per tenant. Enterprise with named TAM, regulated industries with audit-prep support. = €1,200/mo per tenant.
  • On-call rotation: 1 eng on rotation × €500/mo standby + ~€200 incident-trigger amortized = baked into the FTE-hour rate.
  • Loaded eng hourly = €100/hr — €70k salary + 40% loading (benefits, equipment, office allocation, training) → €100k/yr ÷ 1000 chargeable hours.
  • This dominates COGS for small accounts. A €5k/mo Starter that needs 8h/mo of support is unprofitable — fire that customer or move to managed service pricing.
What's NOT in this model
  • R&D engineering salaries (separate opex line; not customer-specific).
  • Sales & marketing (CAC, commissions, ads).
  • Founder / G&A salaries.
  • Office, accounting, banking fees.
  • One-time onboarding cost (typically 20-80 eng-hours per customer at go-live, amortized over expected contract lifetime should be added if you're modelling LTV).
AWS pricing constants (eu-west-1, Jan 2026)
EC2 t3.small / t3.medium / t3.large$16.65 / $33.30 / $66.60 per mo
RDS db.t3.small / medium / db.t4g.large$29 / $58 / $85 Single-AZ
RDS Multi-AZ×2 instance cost
RDS storage gp3$0.115/GB-mo
S3 Standard / IA$0.023 / $0.0125 per GB-mo
ALB$22.27/mo + LCU
NAT Gateway$35/mo per AZ + $0.045/GB
WAF on ALB$5/mo + $1/M req
Route 53 hosted zone$0.50/mo
Secrets Manager$0.40/secret/mo
CloudWatch logs$0.57/GB ingest + $0.03/GB-mo store
SES$0.10/1k emails
Data egress$0.09/GB (first 10 TB)