How to Build a Visitor Management System for Offices in 2026

Ten years ago, the office lobby had a clipboard, a pen on a chain, and a receptionist who tried to read handwritten names through a nervous squiggle. Visitors printed themselves onto a sign-in sheet that anyone walking past could photograph. Hosts got a phone call, if they were lucky. Badges were handwritten with a Sharpie. Nobody knew how many people were in the building during a fire drill.

Then Envoy launched in 2013, turned the clipboard into an iPad, and built a company now valued north of a billion dollars. Proxyclick followed with a stronger enterprise story and was acquired by Eptura. Sine, iLobby, and SwipedOn each carved out territory. The category proved something useful: physical office workflows that look trivial are often worth enormous amounts of recurring revenue, because every office in the world has visitors and every legal, security, and HR department has opinions about how those visitors should be handled.

The market is not saturated. Hybrid work made front desks unstaffed part of the week, which made self-service check-in a requirement rather than a convenience. Post-COVID health screening, watchlist compliance for defense contractors, and GDPR-driven visitor data deletion policies keep adding complexity. Meanwhile, incumbents have drifted upmarket and left real pricing gaps in the 50-to-500-employee band. If you are a product team looking at where to build next, visitor management is still an opportunity, especially if you wrap it into a broader workplace platform covering desk booking, deliveries, and access control.

This guide walks through how to actually build a VMS that a facilities manager will pay for, an IT director will approve, and a receptionist will not sabotage in the first week. We will cover the iPad kiosk, host notifications, document signing, badge printing, enterprise integrations, and the go-to-market decisions that determine whether you end up with a business or a side project.

A visitor management system looks simple from the lobby but touches a surprising number of systems. At minimum you need an iPad kiosk app, a web dashboard for hosts and admins, a notification service, a badge printer driver, a document signing engine, and a backend that ties all of it together with permissions scoped by company, location, and role. You will also need an offline mode, because the one thing worse than a paper sign-in sheet is a locked iPad showing a loading spinner to an important visitor.

For a new build we recommend React and Expo for the iPad kiosk, Next.js for the admin dashboard, Supabase for auth and Postgres, and a Node worker fleet for notifications and printer jobs. Supabase gives you row-level security that maps neatly onto the multi-tenant structure of a VMS, where a single database must cleanly isolate tenants, locations within a tenant, and visitor records within a location. This is the same foundation we recommend in our SaaS platform guide, and it scales comfortably into the thousands of tenants before you need to shard.

The data model has five core entities: Tenant, Location, Host, Visitor, and Visit. A Visit joins a Visitor to a Host at a Location with a timestamp, a purpose, optional documents signed, a badge ID, and a status that moves through expected, checked-in, and checked-out. Everything else in the product hangs off Visit records: analytics, fire-drill rosters, compliance exports, and billing if you meter on visit volume.

Keep the kiosk dumb. It should render a check-in flow driven by a config object pulled from the server, post events back to an API, and queue them locally if offline. Every location-specific rule, such as which documents to show to which visitor type, should live on the server so facilities teams can change them without an app update. This is the single most important architectural decision and the one most early VMS builds get wrong.

The iPad kiosk is the part of your product the customer shows off to their CEO, so it has to feel premium. Use full-screen, single-purpose screens with one primary action per screen. Do not try to fit the whole check-in flow on one page. A good flow takes a visitor through: welcome, visit type, host lookup, photo capture, NDA, print badge, and done. Aim for under 45 seconds on the happy path and never more than seven taps.

Build the kiosk in React with Expo so you can ship the same codebase to iPad, Android tablets, and eventually a web-based fallback for kiosks without an app store presence. Expo lets you push OTA updates, which is essential because firmware updates on a tablet bolted to a lobby wall are a support nightmare. Lock the app into guided access mode and disable home-button exit so visitors cannot accidentally drop into Safari.

Photo capture is deceptively hard. Lobbies have bad lighting, visitors do not know where to look, and the iPad camera is at chest height, which produces unflattering angles. Use the front-facing camera, display a live preview with a framing guide, and auto-capture after a two-second stability window. Store photos at reduced resolution to keep badge print times under three seconds.

For badge printing, support the Brother QL-820NWB as your default. It is cheap, quiet, uses thermal die-cut labels, and has a network API that works reliably over AirPrint bridges. For enterprise customers, add Zebra ZD410 and ZD620 support, because those are what most corporate print rooms already stock. Do not try to support every printer on earth. Pick two families, document them well, and tell customers to buy the ones you support. Your engineering time is more valuable than a marginal printer integration.

The badge template engine should be HTML and CSS rendered to a PNG server-side, not a proprietary template language. Facilities teams want to put their logo, the host name, the visit date, and a QR code on the badge, and they want to iterate on the design without filing a support ticket. Let them drag fields around a canvas, preview on a virtual badge, and save per-location templates.

The moment a visitor taps "I'm here" on the kiosk, their host needs to know within seconds, on whatever channel they actually pay attention to. This is the single feature that justifies the entire product to most customers. A missed notification means a visitor standing awkwardly in the lobby, which means an angry email from an executive, which means a churn risk.

Support four channels out of the box: Slack, Microsoft Teams, SMS, and email. Let hosts set their own preferences and fall back gracefully. If Slack fails, try Teams. If both fail, try SMS. If SMS fails, try email. Log every attempt so support can reconstruct what happened when a host claims they were never notified.

For Slack and Teams, build proper apps with bot users rather than incoming webhooks. A bot user lets you send direct messages to the host without requiring a shared channel, which is what hosts actually want. The Slack app should support interactive buttons for "I'm on my way" and "Please ask them to wait," which update the kiosk in real time. Teams is similar but the adaptive card model is finicky, so budget extra time.

Use Twilio for SMS and SendGrid for email. Both have mature APIs and good deliverability. For SMS, use Messaging Services with a pool of numbers so you do not hit carrier filtering limits when a large customer has a big visitor day. Keep messages short, include the visitor name and a reply option, and always include the host's office location so they know which lobby to walk to in a multi-floor building.

Latency matters. From kiosk tap to host notification, target under three seconds at the 95th percentile. This means running your notification workers in the same region as your database, queuing with Redis or Postgres LISTEN/NOTIFY, and pre-warming connections to Slack and Teams. It also means monitoring the full path and alerting on regressions, because a notification system that works 99% of the time will get you fired from the account that happens to be in the bad 1% on the day a customer visits.

Most enterprise customers require visitors to sign something before entering the building. Sometimes it is a simple NDA. Sometimes it is a health declaration, a photo release, a safety briefing acknowledgment, or a contractor compliance form. Building a flexible document workflow is table stakes for landing any deal above ten thousand dollars a year.

The cleanest architecture is to treat documents as a first-class resource, with versions, and to let admins configure which documents get shown to which visitor types in which locations. A contractor walking into the data center signs different things than a job candidate walking into the HR office. Build a simple rules engine: match on visit type, visitor nationality if you care about ITAR, host department, and location.

For the signing itself, you have two choices. You can build your own e-signature capture, which means drawing a signature on the iPad with a finger, stamping it onto a PDF, and storing the signed PDF with an audit trail. Or you can integrate DocuSign and let the enterprise customer use their existing e-signature infrastructure. We recommend building your own for the kiosk experience and offering DocuSign as an option for customers who require it for legal reasons. DocuSign is slower, more expensive per signature, and adds a redirect that breaks the kiosk flow, so customers who do not strictly require it will be happier with the built-in option.

Store signed documents in encrypted S3 with object-level access control. Every signed document should have a tamper-evident hash logged to an append-only audit table, along with the kiosk device ID, IP address, geolocation, and timestamp. When a customer's legal team asks whether a specific contractor really signed the NDA on July 14th, you want to produce the signed PDF and the audit trail in under a minute.

Retention policies matter. GDPR requires that you can delete visitor data on request, but the signed NDA itself may need to be retained for the life of the underlying confidentiality obligation. Build the ability to delete the visitor's personal information while retaining the hash of the document and a redacted signature record. This is a legal question as much as an engineering one, and your customers will ask about it in the security review, so have answers ready.

Enterprise customers will not deploy your VMS until it passes their security review. That means SOC 2 Type II, GDPR compliance, and typically a completed CAIQ or SIG questionnaire. If you plan to sell into defense, finance, or healthcare, add HIPAA, ITAR, and possibly FedRAMP Moderate to the list. Read our SOC 2 for startups guide for the full playbook on getting to your first audit.

Visitor data is personal data under GDPR. Treat it that way from the first line of code. Encrypt at rest and in transit, minimize what you collect, set retention defaults to 90 days with customer-configurable overrides, and build a purge job that actually deletes rather than soft-deleting records marked expired. When the German subsidiary's data protection officer asks how long visitor photos are stored, "forever unless a human remembers to clean them up" is the wrong answer.

Watchlist screening is a premium feature that unlocks defense, pharma, and regulated finance customers. The basic version checks visitor names against a blocklist the customer uploads. The advanced version integrates with services like Dow Jones or LexisNexis to screen against OFAC, denied persons lists, and politically exposed persons lists. Screening happens in the background during check-in, and if a match fires above a configurable confidence threshold, security gets paged before the visitor gets a badge.

Role-based access control inside the product matters as much as compliance certifications. A receptionist should not be able to export all visitor data. A security admin should be able to view any visit but not edit host information. A facilities manager should be able to configure kiosks but not see visitor photos. Build this as a proper RBAC system from day one, not a series of feature flags retrofitted later. Our secure authentication guide covers the patterns.

The difference between a VMS that sells at $500 a month and one that sells at $5,000 a month is usually the integration story. Enterprise IT departments want to provision hosts automatically, deprovision them automatically when they leave the company, and let them log in with the corporate identity provider. If your product requires IT to manually manage a separate user list, it loses to competitors that do not.

Start with SAML SSO against Okta, Azure AD, and Google Workspace. These three cover probably 95% of the enterprise market. Use a library like WorkOS or BoxyHQ to avoid writing SAML parsers from scratch, because SAML is a protocol designed to make sensitive people cry. Offer SCIM provisioning via Okta SCIM so hosts get created and deactivated automatically when HR updates the directory. SCIM is not glamorous but it is the single most requested feature in mid-market security reviews.

Calendar integration is the other high-leverage integration. When a host puts a meeting on their Google or Outlook calendar and adds an external email address, the VMS should automatically pre-register the visitor, send them a pre-arrival email with check-in instructions, and recognize them instantly at the kiosk by scanning a QR code from their phone. Build OAuth flows to both Google Workspace and Microsoft 365, respect calendar privacy settings, and only sync events where an external attendee is present.

The internal dashboard for all of this configuration needs to be as polished as the kiosk. Admins spend more time in the settings than visitors spend at the kiosk, and clunky admin UX is one of the fastest ways to lose a customer in the first 30 days. We covered the patterns in our internal tools dashboard guide, and the same principles apply here.

For billing, use Stripe with usage-based metering on visits per month, with a generous included tier and overage charges. This aligns your pricing with customer value and lets small offices start cheap while large customers pay proportionally. Avoid per-seat pricing on hosts, because that penalizes customers for inviting more people to use the product, which is exactly the opposite of what you want.

VMS is a classic bottom-up B2B motion. Facilities managers discover your product through a Google search, start a free trial with one location, and then expand once their head of security signs off. The product must support self-service onboarding end-to-end, including hardware recommendations, kiosk setup wizards, and a first-visit demo flow that works without any customer success intervention. If onboarding requires a call, your CAC balloons and your growth caps out.

Price in three tiers: Starter at around $100 per month per location with core features, Growth at around $400 per location with Slack, Teams, SSO, and badge printing, and Enterprise starting around $1,000 per location with SCIM, watchlist screening, advanced compliance, and SLA. Charge per location, not per visitor, because locations are predictable and visitors are variable. Customers hate variable bills.

Sell through a combination of inbound SEO, G2 reviews, and partnerships with office hardware vendors. The SEO play is easy to underestimate: terms like "visitor management software" and "iPad sign-in app" have high commercial intent and moderate competition. A library of comparison pages against Envoy, Proxyclick, Sine, iLobby, and SwipedOn will drive qualified traffic for years. G2 is where enterprise buyers comparison-shop, so prioritize review velocity from your happiest customers.

Partnerships with badge printer vendors, access control companies, and commercial real estate brokers give you embedded distribution. A commercial landlord who includes your VMS in their tenant amenity package can bring you hundreds of customers in a single deal. These partnerships take time to build but compound beautifully once they do.

Your first ten customers should be companies you know personally or can reach through warm intros. Use them to harden the product, especially the edge cases around printer quirks, network-restricted environments, and unusual compliance requirements. The eleventh customer is where you start charging full price and the product is ready to survive the onboarding without your direct involvement.

Visitor management is not a winner-take-all category. Envoy has the top of the market, but there is plenty of room for challengers who focus on specific verticals, geographies, or integration stories. Whether you are an existing workplace platform adding a visitor module or a new startup competing head-on, the playbook is the same: build a kiosk that feels premium, nail the notifications, get SOC 2, integrate with the identity stack, and sell through low-friction self-service until enterprise logos justify hiring a sales team.

If you are planning to build a VMS or an adjacent workplace platform and want help thinking through the architecture, compliance path, or go-to-market, book a free strategy call.