React + Supabase Developer — Multi-Tenant Security Patrol Report Web App (GDPR, RLS, MVP)

We are LiL Service GmbH, a certified German security and patrol services company (§34a GewO, ISO 9001:2015, DIN 77200-1) operating across multiple federal states in Germany. We need an experienced React + Supabase developer to build a production-ready, GDPR-compliant web application that digitalizes our guard patrol reporting workflow. Every shift, our guards currently fill out paper reports by hand, photograph them, and send them via WhatsApp to our office — which then manually transcribes and emails them to clients. This costs us 10+ hours/week in admin work and introduces delays and errors. We want to replace this with a clean, mobile-first web app. A working prototype already exists. You can preview it here: https://claude.ai/public/artifacts/df8ca614-0d72-4e83-9ffd-b737d8d49978 Login code: Admin This prototype (~2,100 lines of React) demonstrates the full UI and workflow. Your job is to connect it to a real backend (Supabase), add proper authentication, enforce Row Level Security at the database level, and deliver a production-ready application. The Core Workflow Guard logs in → selects their assigned site → creates a patrol report using one-tap templates Guard submits the report → status becomes "submitted" Site Supervisor (Einsatzleiter) reviews → approves or rejects with a mandatory reason If approved → client can immediately see and download the PDF report If rejected → guard receives the rejection reason, edits, and resubmits Four User Roles Admin — full system access, manages sites, users, and access codes Guard (Mitarbeiter) — creates and submits reports for assigned sites only Site Supervisor (Einsatzleiter) — approves or rejects submitted reports Client (Auftraggeber) — views approved reports only for their assigned sites The Single Most Critical Requirement Tenant isolation via Row Level Security (RLS) at the database level. A client from Site A must NEVER be able to access data from Site B — under any circumstance. This must be enforced via Supabase RLS policies, not just frontend logic. We will verify this with a penetration test before Go-Live. Any developer who treats this as a frontend-only concern will not be selected. What the Prototype Already Does All four user roles with role-based UI Complete report lifecycle: draft → submitted → approved / rejected Multi-tenant site assignment All six entry templates (Dienstbeginn, Kontrollgang Außen, Kontrollgang Innen, Vorbereitung Ende, Dienstende, Vorfall) Emergency call block with 6 service checkboxes Einsatzleiter approval / rejection workflow with mandatory reason modal PDF generation via jsPDF + autoTable (matching our paper template F042) German UI, mobile-first, Tailwind CSS What You Need to Add Supabase backend (PostgreSQL + Auth + Storage + Realtime) Real authentication with session management, account lockout (5 failed attempts), and 30-minute inactivity timeout Row Level Security at the database level for all tables Multi-device sync (real-time updates across devices) Audit logging (who did what, when) TypeScript migration (prototype is plain .jsx) Integration and RLS policy tests Tech Stack (Required) Frontend: React 18 + TypeScript, Vite, Tailwind CSS Backend: Supabase (PostgreSQL + Auth + RLS + Realtime) Hosting: EU only — Vercel Frankfurt or Cloudflare Pages (GDPR requirement, non-negotiable) PDF: jsPDF + autoTable OR server-side Puppeteer Email: Postmark (EU) or Brevo Not acceptable: Firebase, AWS US regions, WordPress, no-code platforms, or any US-hosted service without an EU entity. Database Schema (Already Designed) Six core tables: sites, users, user_sites, reports, report_entries, emergency_calls, audit_log. Full schema with RLS policy examples will be provided in the developer briefing document. GDPR Requirements (Non-negotiable) EU-only hosting for all services (app, database, backups) TLS 1.2+ in transit, AES-256 at rest Signed DPA (Auftragsverarbeitungsvertrag / AVV) required Right to access, rectification, and erasure (Art. 15–17) Cookie consent banner + Datenschutzerklärung Data retention: auto-delete reports after 3 years (configurable) Audit log of all data access Deliverables Full source code in a private GitHub or GitLab repository (client invited as owner) Production deployment on Vercel + Supabase EU Staging environment with seed data CI/CD pipeline (GitHub Actions) README, ARCHITECTURE, DATABASE, and DEPLOYMENT documentation Admin handbook + user guides (PDF, German) Integration tests covering all four report state transitions RLS policy tests proving tenant isolation Manual UAT test plan Timeline & Budget Timeline: 3 weeks from contract signing to Go-Live Budget: $500 – $800 (fixed price, MVP) Payment: 30% on signing / 40% on Phase 2 demo / 30% on Go-Live 30-day warranty period included What We Expect in Your Proposal Fixed-price quote with milestone breakdown Confirmation that you have reviewed the prototype (link above — login: Admin) Brief description of your approach to multi-tenant RLS in Supabase Two references from comparable React + Supabase projects Your LinkedIn or GitHub profile Confirmation that you can host on EU infrastructure and sign a DPA Important: The same developer who writes the proposal must do the work. We will not accept bait-and-switch arrangements. We expect weekly status calls during development. To Apply Please start your proposal with the sentence: "I have reviewed the prototype and understand the RLS requirement." Any proposal that does not include this sentence will not be considered — it confirms you have actually read this brief. We respond to all serious proposals within 1 business day. LiL Service GmbH