01 Overview
Organisation workspaces are multi-tenant by design. Every membership, document, assessment, attempt, report, and audit event is scoped to a single organisation. Platform admins provision workspaces; learners and teachers join by invite (or, as SSO lands, via your identity provider).
- Strict organisation-scoped tenancy on reads and writes
- Role-based permissions for admins, teachers, staff, and learners
- Seat and license controls with hard or soft enforcement
- Searchable audit logs for sensitive actions
- Encrypted transport (TLS) and encrypted secrets at rest
02 Tenancy & access control
Org APIs and dashboards resolve membership on every request. URL tampering cannot cross organisation boundaries. Teachers are further scoped to groups they manage for mutations such as group membership and many reporting views. Org admins can use a time-boxed "view as" mode to diagnose learner experience — writes are blocked while impersonating, and start/end events are audited.
Password authentication uses modern hashing; sessions are JWT-based. Organisation SSO (SAML/OIDC) and SCIM provisioning are on the institutional roadmap for directory-driven onboarding.
03 Audit & accountability
Sensitive organisation actions write to an organisation audit trail — invites, role changes, seat-policy bypasses, document uploads, assessment publishes, report exports, and view-as sessions. Admins and teachers can filter and review events in-product. Report exports are themselves audited.
04 Data protection
Application traffic is served over HTTPS. Organisation documents are stored in Azure Blob Storage under organisation-prefixed keys. Database access uses Prisma against PostgreSQL (Neon). Payment card data for consumer billing is handled by Stripe as an independent processor; organisation commercial terms today are primarily negotiated/manual, with Stripe org billing on the roadmap.
See our Privacy Policy for controller details, retention, and individual rights. Data processing agreements for organisation customers are available on request.
05 Education & regulatory alignment
Schools and universities typically evaluate us against GDPR (EEA/UK), FERPA-oriented education record practices (US), and — for younger learners — COPPA considerations. Organisation admins can manage member data requests (export / anonymise), retention windows, and guardian consent from the Privacy workspace tab. Audit logs remain available for export as CSV.
- GDPR: privacy policy, lawful bases, rights contact path, subprocessors disclosure, org DSAR tooling
- FERPA-minded: organisation-owned learning records, role-scoped access, audit of exports
- Minors: age notices in privacy policy; guardian consent capture on memberships for COPPA workflows
06 Operations
The product is deployed on Vercel with scheduled jobs for invite expiry, assessment reminders, report processing, and seat summaries. Rate limits protect invite, acceptance, and generation endpoints. Platform administrators can suspend or reactivate organisations and manage license terms from a separate admin console.
07 Security contact
For security questionnaires, DPAs, or vulnerability reports related to organisation workspaces, contact support@globalcoachai.com with the subject line "Security / compliance". To start a commercial evaluation, request a workspace.