Safeguards

Roster guardrails should be clear to the people using the platform. The goal is controlled operations, not hidden automation. For the related operating records and handoffs, see Records and Data Model and Data Handoffs.

Product Guardrails

Different views

Admins and field staff see different areas of the product.

Own invitations

A field staff member can only respond to their own shift invitations.

Outbox record

Every invite, nudge, cancellation, and response alert is recorded.

Checked forms

Important fields are checked before changes are saved.

Operational Checks

The operational checks are practical. Local and production data need to stay separate so seed or reset work cannot damage live data. Notification status needs to be visible so operations can tell whether a message was sent, skipped, or failed. Candidate ranking needs to show reasons because operators should not have to trust a black box. Required skills should be explicit because some shifts need a hard gate while most only need a ranking hint. Check-in distance should be treated as operational context, not as automatic proof of performance. Reports need to stay tied to shifts so client reporting remains connected to the work that actually happened.

Role boundary screenshotShows admin-only and staff-only surfaces to show access separation.

Outbox state screenshotShows visible notification intent, provider status, and retry posture.

Data Sensitivity

Roster data can become sensitive quickly. It can include names, email addresses, phone numbers, location signals, availability, work history, report notes, and photos.

The product posture is to capture only what is useful, keep precise location optional where possible, and avoid exposing staff details more broadly than the workflow requires. The current check-in flow captures a single location point when the staffer taps the button and grants browser permission; it is not continuous tracking. Photos should be treated as evidence from a shift, not decoration. Before connecting more external tools, any future cross-border data movement should be documented so D2C knows where personal information is stored, who can access it, and why it is being transferred.