Strict tenant isolation
Every row in our database carries both an organisation id and a school id. Every read and write checks both. A school admin in one organisation can never see, list, search, or accidentally touch data belonging to another organisation — enforced at the service layer, not just the UI.