A multi-school platform where every school stands alone.
Tenancy by schoolId. Permission-composed roles. JWT with HTTP-only cookies. Audit logs that distinguish platform context from school context. The boring, important fundamentals — done deliberately.
Every request is scoped by schoolId. No exceptions.
Data is tenant-isolated at the model layer, not just at the UI layer. One school cannot see another's data. The platform operator stays out of school-scoped records unless explicitly invited.
Familiar role names. Custom access. No custom development.
A platform permission catalog is seeded at startup. Your school composes roles from it. Bursars stay bursars — but what your bursar can actually do is configured per school.
- One staff member can hold multiple composed roles
- System roles are protected and clearly separated
- Permission guards fire on every API route, every module
Every action, replayable.
Audit logs distinguish platform-level events from school-level events. Who, what, when, in which school — all recorded. No silent state changes.
- Actor, action, target & school context on every event
- Archived (not deleted) users preserve marks & finance history
- Closed academic years can be locked for compliance
The non-negotiables we won't trade for speed.
Tenancy never leaks
If a request can't resolve a school context, it doesn't run. Cross-tenant joins are physically prevented at the query layer.
Permissions are explicit
Every API route names the permission it requires. No silent escalation. No “admins can do anything by default.”
Data has a lifecycle
Users archive, not delete. Years lock, not vanish. Finance records survive staff turnover and audit season.
Audit precedes feature
If an action mutates school-scoped data, it carries an audit log entry. New module ships with logs from day one.
Credentials never appear in app
SchoolPay API passwords and similar secrets are encrypted at rest, never round-tripped to the UI, never logged.
You own your school's data
Structured exports, clear access policies, and the right to walk away with a copy of your records.
Bring your ICT team. We'll show our work.
Walk through tenancy, permission composition, audit logging, and credential handling with our team — slide-free, just the actual code paths and data models.