MySentinel for school groups — the pitch
Gate-to-guardian safety, one platform, every campus.
You run more than one school. Every morning, thousands of learners pass through your gates — and behind each one is a guardian who simply wants to know their child arrived safely. MySentinel turns that gate moment into a confirmed, immutable record and a push-first notification, on a single Cloudflare-native platform built for South African schools.
This deck is written to be checked. Where something is live, we say so. Where something is on the roadmap, we mark it Roadmap — because the honesty is part of what you are buying.
The problem
Running safety across many campuses is hard in ways a single-school tool never has to solve.
- The gate is the highest-stakes, lowest-tech moment of the school day. A learner arrives or leaves; today most schools log it on paper, in a WhatsApp group, or not at all. Nobody can answer “who is on-site right now?” with confidence.
- Guardians are anxious and you can’t reassure them at scale. A parent at one campus gets an SMS; at another, nothing. Promises made and not kept erode trust faster than no promise at all.
- POPIA raises the floor. Learner and guardian PII, subject-access requests, retention windows — these are now legal obligations, not nice-to-haves, and they multiply with every campus.
- Every campus is different. Different brand, different parent language mix (English, Afrikaans, isiZulu), different gate layout, different going-home culture. A rigid one-size tool fights the school instead of fitting it.
- You have no shared spine. Onboarding a new campus is a project. Health across sites is invisible. Consistency depends on heroics.
You don’t need a school-management system. You need the gate done right, everywhere, the same way.
The solution — gate to guardian, on one platform
A security officer scans a learner’s NFC badge at the gate on their phone. MySentinel resolves the learner, validates the check-in or check-out, records it immutably, updates a real-time admin dashboard and attendance, and notifies every registered guardian push-first.
Badge tap → Resolve learner → Confirm in / out → Immutable record │ ┌────────────────────────────────┤ ▼ ▼ Real-time admin dashboard Guardian notification + attendance push → email → WhatsApp → SMSOne platform carries five roles, each in the right place:
| Role | What they do | Where |
|---|---|---|
| Officer | Scans badges, confirms check in / out, signs visitors in / out | PWA on a phone |
| Admin | Dashboard, learners, classes, attendance, emergency, safety mode, settings | /admin web workspace |
| Class teacher | Class roster, daily roll, pickup approvals — scoped to their classes only | /class-teacher |
| Operator | Cross-campus onboarding + health (platform staff) | /operator console |
| Guardian | Read-only, real-time learner status — no login | Tokenised parent portal /p/[token] |
Built entirely on Cloudflare: Workers, D1, KV, R2, Queues, Durable Objects, Cron and Static Assets. No second cloud to operate, no servers to patch.
The hero moment — the gate
The officer’s screen is deliberately boring to use and impossible to get wrong.
The gate screen says “Scan a learner’s badge”, shows the live status “All scans sent” and the active zone (“Gate: Main gate”), with a manual badge-number fallback for the rare unreadable tag.
The instant the badge resolves, the officer sees the learner’s name and photo (or initials, with a plain safety note: “No photo on file — confirm who you’re releasing another way”). Direction is inferred — In · Arriving / Out · Leaving — with a one-tap override. Releasing is honest about real South African school life: “Check in — arrived on their own” for learners who walk, taxi or come with a sibling, or “Dropped off by a guardian” when a named adult is involved. The line “Recording is immediate. Guardians are notified on their verified contacts” sets the expectation truthfully.
The confirmation is unmistakable: a green “Sent” badge, “CHECKED IN”, “Recorded by server
This whole path — scan, resolve, confirm, immutable record, four-queue guardian fan-out — is shipped and verified live on the local stack.
Why it is credible
Real-time, not refresh. The admin dashboard and the parent portal update live over a Cloudflare Durable Object SSE hub (SchoolStreamHub). A check-in in one tab moves the count in another.
Immutable by construction. Every state change is written to an append-only audit trail, enforced by a database trigger. (It is trigger-enforced, not a hash-chain or WORM store — stated plainly.)
Push-first, and honest about channels. Guardians are reached app push → email → WhatsApp → SMS. App push and branded email are live; WhatsApp and SMS show a neutral Preview badge until a school connects a provider, and they silently demote to email rather than pretend to deliver. The logs show a hashed recipient — channel honesty in the plumbing, not just the UI.
Per-campus identity, no UI fork. Each campus carries its own display name, logo, primary colour (deep teal #1f6650) and gold accent (#c8923a), default language and going-home policy — through one design-token system. Every campus is on-brand, in its parents’ language.
Trilingual. The app UI ships in English, Afrikaans and isiZulu — idiomatic translations, not machine pastes.
Tenant isolation is existential-grade. school_id is always taken from the verified JWT, never a browser header. Every query is school-scoped. An officer who opens /admin is bounced; an admin who opens /operator is bounced; sensitive admin actions require a real WebAuthn passkey step-up. All proven live.
POPIA built in. Encryption at rest for sensitive PII (per-school AES-GCM photo keys; sealed-plus-hash guardian and visitor contacts), subject-access export, erasure with a mandatory 30-day cool-off, and per-school retention windows.
The guardian side — peace of mind, no app to install
Guardians don’t create accounts. They get a secure, tokenised link to a portal — “Parent portal”, “Hi Thandiwe,”, “Today: 1 at school” — showing each linked learner’s real-time status, e.g. “At school — arrived 09:39”.
From there they view today, attendance and sick notes, manage pickup delegation and per-child notification preferences, and install the app for real push. The footer reads “Powered by MySentinel” and the link expires on a stated date. This is the trust surface that, across many campuses, lets you make one promise to every parent — and keep it.
The admin workspace — answer-first
A campus admin lands on “Today’s school status” with the answer up top — “Nothing needs your attention right now” — counts of on-site / checked-in / checked-out, a learner search (“is who in or out right now?”), a Go-live checklist (roster imported, learners checked in, staff active, WhatsApp connection state, badges issued, photo-encryption key ready), today’s exceptions, a class roll-up, the live learner list, and Patterns to watch (frequent late arrivals, absence risk, badge fleet health, guardian contacts failing).
Emergency broadcast and a stateful Safety mode (drill / lockdown) are one tap away with two-step confirmation; the class teacher gets a class-scoped roster, daily roll and live pickup approvals.
The operator story — stand up a campus in minutes
This is the part most platforms can’t show. Onboarding a new campus is a real durable Cloudflare Workflow, behind a calm async UI.
The operator console is a wall-board: platform access, schools in platform, messaging setup, a “Needs you now” queue, platform health (last-hour delivery success, failed deliveries to review, failed logins) and provider readiness.
Onboarding is a short form — school name, timezone (Johannesburg by default, pan-African and global options), campus close time, first admin and optional first officer.
A review-before-commit panel, then Create school, then the Workflow steps tick green in real time:
“Create the school” ✓ → “Create the admin account” → “School provisioned.” No SQL, idempotent, with per-step retry. I onboarded a second campus live and it worked.
The economics
| Item | Detail |
|---|---|
| Price | ~R10 per learner per month (negotiable) |
| Billing | Manual and out-of-app — no in-app payments, no invoices in the product |
| Operator input | An operator-only billable-learner report (max daily active learners per campus, per month) is the exact figure hand-keyed into your invoice |
| Channel costs | Bring-your-own provider, or marked-up pass-through — you are never surprised by a delivery bill |
The model scales linearly and transparently with the only thing that matters: how many learners you actually protect. No per-school tiers, no seat games.
Live today vs roadmap — the honest slide
We would rather you hear this from us than from your technical advisor.
Shipped and verified live (local stack):
- Officer gate scan → resolve → confirmed, immutable record
- Guardian-optional release (“arrived on their own” vs “dropped off by a guardian”)
- Answer-first admin dashboard, go-live checklist, deep per-school settings
- Operator console + onboarding a new campus via a durable Workflow
- Class-teacher scoped workspace with live pickup approvals
- Tokenised parent portal with real-time learner status
- RBAC tenant isolation, real passkey step-up, channel honesty (Preview vs Live)
- Trilingual en / af / zu; web push is real and RFC-8291-proven in code
Roadmap / needs provisioning (stated plainly):
- No group-scoped owner tenant yet. Today the only logins are full platform operator (sees every school on the platform) or single-school admin. An owner scoped to just their campuses is Roadmap. For a pilot we run a platform that contains only your schools.
- Shard-ready, single-shard today. Horizontal sharding is real code, but only
shard_0is live — campuses are isolated logically byschool_id, not yet on physically separate databases. Physical per-campus sharding is Roadmap. - WhatsApp and SMS are Preview, per-school provider-gated; they demote to email until connected (WhatsApp also needs Meta template approval).
- Web push needs VAPID secrets + real-device proof per environment; branded PDF / SAR rendering needs the Cloudflare Browser Rendering binding.
- Production is currently a hollow shell (no secrets) — demos run on UAT only.
- No consolidated cross-campus academic report yet — channel-usage and billing aggregates only. A group-wide report is Roadmap.
- Known polish cracks we’re not hiding: the report builder’s “Class ID” free-text box and a hardcoded-English admin attendance page.
Independently graded: B+ / A− as a per-campus product (real code, verified live end-to-end), B− as the chain-owner-at-scale pitch as worded — because the group-owner persona and multi-shard scale are built-but-not-yet-modelled, not because the core is missing.
The ask
Pilot 2–3 schools from your group on UAT.
- We onboard your chosen campuses through the app (never SQL-seeded), exactly as a real rollout would.
- You walk the gate flow on a real Android phone, see the dashboards update live, and open the parent portal as a guardian would.
- We connect the channels you want proven (web push, and email today; WhatsApp once your provider is approved).
- At the end you have a real billable-learner report tied to ~R10/learner — the number that lets you decide on the whole group.
From a proven multi-school footprint, we then build the group-scoped owner tenant for your next, larger rollout.
Honesty is the product
A safety platform that over-promises is worse than no platform — because a guardian who was told “you’ll always know” and then heard nothing trusts you less than before. MySentinel is built so that every “sent” is true, every campus is sealed off from every other, and every gap is named out loud before you find it.
Buy the gate done right, everywhere, the same way — and a vendor who tells you the truth about what is live. The roadmap is honest, the core is real, and the credibility is the deal.