— TECH & DATA —
Built on the same stack
Stripe and Notion run on.
A clear, plain-English breakdown of how the platform's built, where your data lives, and how it stays yours.
— THE STACK —
The same tools the big names use.
— Front-end · App layer
The same modern web framework Notion, TikTok's web platform, Loom and Hashnode are built on. TypeScript adds type-safety; Tailwind powers the styling.
— Back-end · Database
PostgreSQL — the engine Apple, Spotify, Reddit and Instagram run on — wrapped by Supabase. Each scaffolding company's data is row-level-isolated at the database itself, not just in the application code.
— Payments · Subscriptions
Stripe is the same payment processor Amazon, Shopify and Apple Pay use — PCI-DSS Level 1, FCA-regulated. We never see your card or bank details. UK Direct Debit is covered by the Direct Debit Guarantee.
— Hosting · Infrastructure
Same hosting layer NASA, Stripe and TikTok use for their web apps. Edge-cached globally, requests served from the closest UK datacentre. Cloudflare in front for DDoS protection.
— Documents · Email
Quotes, invoices, statements, RAMS and handover certificates are generated as real PDFs on the fly, branded per company. Email goes through your own SMTP — no external email-service-provider holds your customer list.
— WHERE YOUR DATA LIVES —
UK / EU only. Encrypted at rest.
Plain English on where each type of data sits, who can see it, and how it's protected.
Where the database lives
Supabase PostgreSQL, hosted in the EU (Ireland) AWS region. UK GDPR and EU GDPR compliant by default. No customer data leaves the EU/UK.
File storage
Logos, RAMS attachments, quote PDFs and compliance docs sit in Supabase Storage in the same region. Encrypted at rest. Access via short-lived signed URLs only.
Backups & disaster recovery
Automatic daily backups by Supabase. Point-in-time recovery up to 7 days. We can restore your tenant's data to any minute in the last week.
Authentication & passwords
Auth tokens are hashed and stored in Supabase. Passwords are bcrypt-hashed — the same algorithm Reddit uses. Nobody, including us, can see a user's password.
Payment data
Card and bank details never touch our servers. They go directly from your customer's browser to Stripe (PCI-DSS Level 1, ISO 27001). We only ever see the last 4 digits.
Email content
Quote / invoice / statement emails go via your own configured SMTP relay (Microsoft 365 or Gmail business). The email body is not stored on a third-party platform.
— OUR PROMISES —
The non-negotiables.
- ✓HTTPS / TLS on every page and every API call — browsers reject anything else.
- ✓No Facebook pixel, no third-party ad-network tracking, no analytics that profile your users.
- ✓No data shared with any external party for marketing or training.
- ✓Cancellation = full data export available; deletion within 30 days of request.
- ✓Multi-tenant isolation enforced at the database, not just the application — even an application bug cannot leak data between scaffolding companies.
- ✓All staff documents (CSCS / CISRS / passport scans) accessible only via short-lived signed URLs that expire after a few minutes.
— THE ONE-LINER —
“A custom-built platform on the same tech stack Stripe and Notionuse — Next.js on the front, PostgreSQL via Supabase on the back, Stripe for billing, all hosted on Vercel's UK / EU edge. Each customer's data is row-level isolated, encrypted at rest, GDPR-compliant. Cards and bank details never touch our servers — they go straight to Stripe.”
Use this verbatim if someone asks at a trade show.
Need anything not on this page?
Compliance-officer questionnaires, ISO documentation, a NDA — drop us a line.