— TECH & DATA —
Built on the same stack
Stripe and Notion run on.
A clear, plain-English breakdown of how the platform's built, where your data lives, and how it stays yours.
— THE STACK —
The same tools the big names use.
— Front-end · App layer
The same modern web framework Notion, TikTok's web platform, Loom and Hashnode are built on. TypeScript adds type-safety; Tailwind powers the styling.
— Back-end · Database
PostgreSQL — the engine Apple, Spotify, Reddit and Instagram run on — wrapped by Supabase. Each scaffolding company's data is row-level-isolated at the database itself, not just in the application code.
— Payments · Subscriptions
Stripe is the same payment processor Amazon, Shopify and Apple Pay use — PCI-DSS Level 1, FCA-regulated. We never see your card or bank details. UK Direct Debit is covered by the Direct Debit Guarantee.
— Hosting · Infrastructure
Same hosting layer NASA, Stripe and TikTok use for their web apps. Edge-cached globally, requests served from the closest UK datacentre. Cloudflare in front for DDoS protection.
— Documents · Email
Quotes, invoices, statements, RAMS and handover certificates are generated as real PDFs on the fly, branded per company. Email goes through your own SMTP — no external email-service-provider holds your customer list.
— WHERE YOUR DATA LIVES —
UK / EU only. Encrypted at rest.
Plain English on where each type of data sits, who can see it, and how it's protected.
Where the database lives
Supabase PostgreSQL, hosted in the EU — AWS Frankfurt region (eu-central-1). UK GDPR and EU GDPR compliant by default. No customer data leaves the EU/UK.
File storage
Logos, RAMS attachments, quote PDFs and compliance docs sit in Supabase Storage in the same region. Encrypted at rest. Access via short-lived signed URLs only.
Backups & disaster recovery
Automatic daily backups by Supabase. Point-in-time recovery up to 7 days. We can restore your tenant's data to any minute in the last week.
Authentication & passwords
Auth tokens are hashed and stored in Supabase. Passwords are bcrypt-hashed — the same algorithm Reddit uses. Nobody, including us, can see a user's password.
Payment data
Card and bank details never touch our servers. They go directly from your customer's browser to Stripe (PCI-DSS Level 1, ISO 27001). We only ever see the last 4 digits.
Email content
Quote / invoice / statement emails go via your own configured SMTP relay (Microsoft 365 or Gmail business). The email body is not stored on a third-party platform.
— OUR PROMISES —
The non-negotiables.
- ✓HTTPS / TLS on every page and every API call — browsers reject anything else.
- ✓No Facebook pixel, no third-party ad-network tracking, no analytics that profile your users.
- ✓No data shared with any external party for marketing or training.
- ✓Cancellation = full data export available; deletion within 30 days of request.
- ✓Multi-tenant isolation enforced at the database, not just the application — even an application bug cannot leak data between scaffolding companies.
- ✓All staff documents (CSCS / CISRS / passport scans) accessible only via short-lived signed URLs that expire after a few minutes.
— THE ONE-LINER —
“A custom-built platform on the same tech stack Stripe and Notionuse — Next.js on the front, PostgreSQL via Supabase on the back, Stripe for billing, all hosted on Vercel's UK / EU edge. Each customer's data is row-level isolated, encrypted at rest, GDPR-compliant. Cards and bank details never touch our servers — they go straight to Stripe.”
Use this verbatim if someone asks at a trade show.
Need anything not on this page?
Compliance questionnaires, supplier due-diligence forms, an NDA — drop us a line.