Will IT reject a no-code tool because it's not "enterprise software"?

IT teams evaluate tools on security, compliance, and supportability — not build methodology. WeWeb, Supabase, and Xano meet enterprise security requirements (SOC 2 Type II, SSO, RBAC, data residency). The key is engaging IT early and presenting the security posture proactively rather than asking for forgiveness after the fact. We provide security documentation packages to support IT review.

What happens if the employee who built the tool leaves?

This is the right question to ask, and it's one reason we advocate for agency-built tools over citizen-developer tools. An agency-built WeWeb + Supabase tool includes full documentation, clean component naming, and a codebase any WeWeb-familiar developer can pick up. The Supabase schema is standard PostgreSQL. Compare this to an Excel macro or a Notion database — no-code tools built by agencies are significantly more maintainable.

Can no-code tools integrate with our existing enterprise systems (SAP, Salesforce, Workday)?

Yes, via API. Salesforce, Workday, and most enterprise SaaS platforms provide REST APIs. Xano can call any REST API, which means your no-code internal tool can read from and write to your ERP, HRIS, or CRM. SAP integration requires an SAP API gateway, which larger SAP installations typically have. Make (Integromat) offers native SAP, Salesforce, and Workday connectors for simpler integration scenarios.

How do we handle sensitive HR or financial data in a no-code tool?

The same way you handle it in any system: access control, encryption, and audit logs. Supabase encrypts data at rest (AES-256) and in transit (TLS 1.3). Row-Level Security ensures users only access data their role permits. Audit triggers log every change with the authenticated user's ID and timestamp. For highly regulated data (EU payroll, health information), we recommend Supabase's dedicated infrastructure plan for full data isolation.

No-Code for Enterprise: How to Build Internal Tools Without IT Bottlenecks

Enterprise internal tools are broken. Every large organisation has the same problem: a backlog of legitimate tool requests from operations, HR, finance, and sales teams — all stuck behind IT priorities, procurement cycles, and six-figure development budgets. Meanwhile, employees build shadow IT: Excel sheets handling critical workflows, Google Forms collecting data that should be in a proper system, and critical processes managed through email chains. No-code changes this equation completely.

Why Enterprise Internal Tools Are Broken

The typical enterprise internal tool request follows a predictable and painful path. A department head identifies a genuine operational problem — say, a vendor approval workflow that currently runs through email, causing delays and audit failures. They submit a request to IT. IT adds it to the backlog, which is already 18 months deep. The department head, under pressure to hit quarterly targets, builds a stopgap in Excel. The Excel sheet grows, becomes critical, and starts causing its own problems: version conflicts, no access control, no audit trail.

Two years later, the IT ticket surfaces. By now the requirements have changed, the original requestor has moved teams, and the proposed €150,000 custom development project bears little resemblance to the actual workflow in place. This cycle repeats across every department, every year.

The scale of the problem is documented: Gartner estimates that 60% of enterprise business applications are shadow IT — built outside approved IT processes. This isn't employee misbehaviour; it's rational adaptation to an unresponsive system. No-code gives enterprises a legitimate, secure, governed alternative.

The No-Code Enterprise Opportunity

No-code tools have matured significantly in the enterprise direction. WeWeb, Supabase, and Xano now offer SSO integration, Role-Based Access Control, SOC 2 Type II compliance, EU data residency, and enterprise support SLAs. The "no-code isn't enterprise-ready" objection that was valid in 2020 is no longer accurate for the right tools.

The opportunity: a properly scoped internal tool — an HR onboarding portal, a vendor management dashboard, an ops workflow tracker — can be built and deployed in 2-4 weeks using no-code, compared to 6-18 months for a custom development project. The cost difference is equally dramatic: €8,000-25,000 for a no-code internal tool vs €80,000-200,000 for a custom-built equivalent.

The remaining constraint is not technical — it's organisational. Getting no-code approved as a valid delivery mechanism requires security review, IT involvement, and a clear governance model for who builds and maintains these tools. We'll address that in the buy-in section.

Security Requirements No-Code Must Meet

Enterprise IT teams rightly ask hard security questions about any new tool. For no-code tools to pass security review, they must meet these requirements — and the stack we recommend does.

SSO and SCIM provisioning: WeWeb integrates with any SAML 2.0 or OpenID Connect provider (Okta, Azure AD, Google Workspace). Users are provisioned and deprovisioned through your existing identity provider, not via separate account management. Supabase Enterprise supports SAML SSO for the dashboard itself.

Role-Based Access Control: Supabase's Row-Level Security policies can be parameterised by role. A user with `viewer` role sees data but cannot write; a `manager` role can approve records; an `admin` role has full access. These policies are enforced at the database level, not the application level — they can't be bypassed by frontend manipulation.

Audit logs: every data change in Supabase can be logged to an `audit_log` table via database triggers. Xano logs every API call with the authenticated user, timestamp, and payload. SOC 2 compliance (Type II) is held by both Supabase and Xano. EU data residency is available on Supabase's Pro and Enterprise plans (Frankfurt, Ireland).

WeWeb + Supabase for Enterprise Compliance

The WeWeb + Supabase combination provides the compliance posture that enterprise risk teams need. Supabase holds SOC 2 Type II certification, which means an independent auditor has reviewed their security controls over a minimum 6-month period and confirmed they function as described. This is the certification that enterprise procurement teams recognise.

For GDPR specifically: Supabase's EU infrastructure (AWS eu-central-1, Frankfurt) ensures personal data doesn't cross the EU border. Supabase provides a Data Processing Agreement (DPA) compliant with GDPR Article 28. Their sub-processors list is published and maintained. Point-in-time recovery (available on Pro and above) satisfies data recovery requirements.

Row-Level Security deserves special mention for multi-department enterprise tools. A single Supabase project can serve multiple departments, each with their own data silo, enforced at the database level. The HR team's data is invisible to the Finance team's users — not because the app hides it, but because the database query physically excludes it. This is a stronger guarantee than application-layer access control.

Retool as an Alternative for Internal Tools

Retool is worth understanding as an alternative positioning in the enterprise internal tools market. Retool is purpose-built for internal tools — it has native connections to databases, REST APIs, GraphQL, and dozens of enterprise data sources (Salesforce, Zendesk, HubSpot) that can be queried directly without an intermediary API layer.

Retool's advantage: faster time-to-first-prototype for database-connected admin interfaces. If you need to give your ops team a read-write interface over your existing PostgreSQL database by tomorrow, Retool can do this in hours. No separate backend required.

Retool's limitations compared to WeWeb + Supabase: Retool apps are distinctly "internal tool"-looking — good enough for internal users, but not customer-facing quality. WeWeb produces polished UIs suitable for client portals and partner-facing tools. Retool also doesn't handle complex business logic well — it's a UI layer, not a backend. For tools requiring approval workflows, notifications, and integrations, you'll need Xano or Make alongside Retool regardless. For purely internal CRUD tools, Retool is excellent. For client portals or tools with complex workflows, WeWeb wins.

Common Enterprise Use Cases

The internal tools we build most frequently for enterprise clients fall into four categories.

**HR Tools**: onboarding portals (new employee document submission, IT request forms, policy acknowledgements), leave management systems, performance review workflows, and org chart tools. These are universally requested and universally under-served by enterprise HRIS systems, which are powerful but inflexible.

**Operations Dashboards**: vendor management portals (vendor onboarding, contract storage, renewal tracking), quality control dashboards, and operational KPI trackers pulling from multiple data sources. These replace sprawling Excel sheets that operations teams maintain manually.

**Approval Workflows**: expense approval tools with multi-level routing, capital expenditure request systems, content approval portals for marketing teams, and contract review workflows. These map cleanly to Xano's workflow engine paired with Supabase for state management.

**Partner and Vendor Portals**: external-facing tools where partners submit data, check order status, or access shared resources. These need polished UI (WeWeb shines here), secure authentication (Supabase Auth), and controlled data access (RLS).

How to Get Internal Buy-In for No-Code

The technical case for no-code internal tools is strong. The organisational case requires active management. Here's the approach that consistently works in enterprise environments.

Step 1: Find a sympathetic IT stakeholder. Not necessarily the CIO — often a forward-thinking IT manager or a DevOps engineer who's frustrated with the backlog themselves. Bring them in early, not as a gatekeeper but as a collaborator. Their technical credibility will be essential when the security review happens.

Step 2: Choose a low-risk, high-visibility first project. Not the most important system in the company — a tool that's clearly not critical, currently handled badly, and can demonstrate value quickly. A successful first delivery is worth more than any presentation.

Step 3: Establish a governance model before you need it. Who can commission no-code tools? Who approves them? Who maintains them when the builder leaves? A one-page governance document answers these questions and removes the "what happens when this person leaves?" objection, which is the most common kill-shot against no-code proposals.

Building a Proof of Concept in 2 Weeks

The fastest way to win internal approval is to demonstrate, not argue. A working proof of concept is worth more than a 40-page business case. Here's the 2-week enterprise POC sprint we recommend.

Week 1: Define the workflow in one diagram (swim lane or flowchart). Identify the 3 most important screens. Build the Supabase schema and RLS policies. Implement auth with your company's SSO provider. Build screen 1 in WeWeb.

Week 2: Build screens 2 and 3. Implement the core workflow in Xano (even a simplified version). Load it with 20-30 representative test records. Present it to both the requesting department and the IT stakeholder simultaneously.

The presentation goal is not "this is finished" — it's "this is what 2 weeks and €X looks like. Imagine what 6 weeks delivers." Real data, real workflows, and real performance in a 2-week sprint changes minds more effectively than any ROI calculation. We've run this sprint pattern dozens of times and it converts sceptics reliably.

Total Cost of Ownership: No-Code vs IT Project

A rigorous TCO comparison requires honest accounting on both sides. Custom development cost for a mid-complexity internal tool: design (€5,000-15,000), development (€40,000-120,000), QA (€8,000-20,000), deployment and infrastructure setup (€5,000-10,000). Total build: €58,000-165,000. Annual maintenance (bug fixes, dependency updates, feature additions): €15,000-30,000/year. 3-year TCO: €103,000-255,000.

No-code equivalent with an agency like App Studio: build cost €12,000-30,000. Tool licences (WeWeb + Supabase + Xano): €2,500-4,000/year. Annual maintenance for updates and minor features: €3,000-8,000/year. 3-year TCO: €27,500-54,000.

The no-code TCO is 3-5x lower on average. But the less obvious benefit is time-to-value: the no-code tool is in production in weeks, not months. The value of an operational improvement that starts 9 months earlier compounds significantly. For an approval workflow that saves 5 hours of management time per week across a department, the ROI calculation favours no-code decisively.