What procurement teams ask before buying field SaaS
1. How is data isolated between organizations?
2. What roles and permissions exist?
3. Are audit trails complete and tamper-evident?
4. Where is data stored and encrypted?
5. Can we pass a security review?
Scootee's security architecture
- **28 PostgreSQL tables** with organization_id scoping
- **50+ RLS policies** enforcing tenant isolation at the database level
- **Four roles** — employee, sales_manager, director, admin
- **Supabase Auth** — email/password, OTP, JWT tokens
- **approval_history** — IP address, user agent, timestamps on every decision
- **Zod validation** on all API endpoints
Privacy by design
GPS capture activates only during shift sessions employees explicitly start. Location data is encrypted in transit and at rest. Employees can access their own tracking records. Organizations configure retention policies per enterprise agreement.
See Security & Compliance and [Security page](/security/).