01 The situation
The association tracked continuing-education hours, supervision sessions, insurance certificates, and designation transitions across its ~300 members using spreadsheets, email, and a handful of one-off scripts. Auditors asked harder questions each renewal cycle, a small staff couldn’t keep up with the manual verification, and members had no self-service view of where they stood. The commercial association-management suites that ticked the compliance boxes were designed for 5,000-member orgs and priced accordingly — the board refused to take on a six-figure vendor package just to get audit-ready.
02 What we built
We delivered a production compliance platform designed to an enterprise bar — secure by default, audit-ready, multi-tenant from day one — at a budget a 300-member association could justify. Phase 1 went from empty repository to deployed product in a single engagement cycle, and the architecture is already positioned to white-label to peer associations: turning a one-time engagement into a category of compliance infrastructure the sector is missing.
- TypeScript end-to-end monorepo — Next.js 15 + React 19 on the front, PostgreSQL + Drizzle ORM on the back, pnpm workspaces with strict type boundaries between packages.
- Multi-tenant from day one — every table scoped by organization, Postgres row-level-security ready for Phase 2 white-label expansion.
- Append-only audit log with a SHA-256 hash chain for tamper evidence — the kind of trail auditors expect from HIPAA-grade systems, not spreadsheet-era associations.
- Versioned compliance rules engine — continuing-education and supervision rulesets are cohort-pinned by cycle start date, so members keep the rules that applied when they enrolled even as the association updates the program.
- Background job processor (BullMQ + Redis) handling certificate renewals, cycle rollovers, and audit notifications — 11 jobs across 4 queues.
- Single sign-on bridge from the association’s existing public WordPress site via signed JWT — members sign in once, land on the platform already authenticated.
- S3-compatible evidence vault with per-file SHA-256 hashing and PHI-flag metadata for sensitive uploads; MinIO locally, AWS S3 in production.
- Canadian data residency on AWS ca-central-1; AES-256 at rest, TLS 1.3 in transit, mandatory 2FA via TOTP or WebAuthn (SMS not supported).
03 Outcomes
- Phase 1 platform shipped in production on a hardened VM behind Cloudflare Tunnel, with automated deploys from CI.
- Audit-ready from day one — every compliance-relevant write emits a tamper-evident audit event that staff and auditors can reconstruct.
- Staff time reclaimed from manual spreadsheet reconciliation, redirected to member service and program quality.
- Architected for Phase 2 expansion to peer associations without rework — multi-tenant boundaries and role model are in place.
- 35 Compliance-rule unit tests across two rulesets
- 11 Background jobs automating what was manual
- 4 Compliance modules live in Phase 1
04 Engagement shape
We designed the platform, built it, and shipped Phase 1. We remain engaged for data seeding, third-party penetration testing, WCAG 2.1 AA accessibility audit, and the Phase 2 multi-tenant rollout.