Built status that a buyer can trust.

Six-step capture for an access request. Subject identity, citizenship and immigration, host and site, access scope, supporting documents, review and submit.

• Drafts autosave with optimistic-locking save state.
• Passport plaintext is single-use; the server returns last-4 only.
• Date-range and time-window validation block forward navigation.

Per-case queue with reviewer notes, info requests, conditional approvals, withdrawals, and time-based expirations.

• Self-review derived server-side; reviewer cannot decide their own case.
• Last-active-admin protection on role demotions and deactivations.

Screening runs at submit. Cases with an unresolved match cannot proceed to approval until the match is resolved.

• Approval gate enforced server-side — not optional and not bypassable.
• Lifecycle audits: started, completed, failed, match detected, review required, override recorded.

Reviewer resolves each match with a typed status: false positive, confirmed, escalated to legal, insufficient information, or resolved by policy.

JSON manifest, ZIP package, and rendered PDF summary. PII-scrubbed renderer — manifest carries IDs, status codes, counts, and timestamps only.

Invite, resend invite, cancel pending invite, change role, deactivate, and reactivate users from the admin surface.

• Last active organization admin cannot be demoted or deactivated.
• Compliance manager and below cannot reach the admin surface.

Create, edit, and soft-deactivate hosts and sites from the admin surface. Soft-delete only — no hard delete.

Eight canonical roles: organization admin, compliance manager, compliance staff, site manager, front desk, read-only auditor, support triage, and a global super-admin.

• The global super-admin is provisioned through controlled infrastructure operations only — never grantable from the product UI.
• Access to every admin surface is gated by the organization-admin permission.

Per-tenant MFA policy (required factor, assurance level, freshness, enforce-before-dashboard). No identity provider is hard-coded to bypass.

SHA-256 hash-chained audit log with a per-tenant transaction lock. Updates and deletes blocked by trigger for every role — including elevated service contexts.

Every audit entry passes a strict schema check. Names, emails, phones, passport fields, citizenship text, document filenames, storage paths, IP, and user agents are rejected at parse time and again at runtime.

Row-level security enforced at the database on every Regulated Access table, scoped to the requesting tenant. Cross-tenant queries are designed to return zero rows, with production separate-org validation recorded as launch evidence.

Private, tenant-scoped document storage. Server-side signed URLs only, scoped by tenant path. Filenames and storage paths never leave the server.

SPUSA adapter path tested in controlled synthetic/mocked flows. Production provider calls remain inactive unless activation is enabled for a configured organization.

Policy checks are recorded and shown in review and evidence packs. Enforcement remains tied to screening and match-resolution gate rules.

Scheduled re-screening foundation exists for active approved/conditional requests. Runs link back to prior screening history.

Signed external status, evidence manifest, and future system-to-system request sync for partner/lab systems.

Non-production tool for demoing match resolution without a real provider call. Unavailable in production.