trycompai · Marfuen · May 5, 2026 · May 5, 2026 · May 5, 2026 · May 5, 2026
diff --git a/apps/api/src/frameworks/frameworks-people-score.helper.spec.ts b/apps/api/src/frameworks/frameworks-people-score.helper.spec.ts
@@ -53,6 +53,12 @@ describe('computePeopleScore', () => {
     (mockDb.backgroundCheckRequest.findMany as jest.Mock).mockResolvedValue([
       { memberId: 'mem_1' },
     ]);
+    (mockDb.member.findMany as jest.Mock).mockImplementation(
+      async (args: { where?: { backgroundCheckExempt?: boolean } }) => {
+        if (args?.where?.backgroundCheckExempt === true) return [];
+        return [];
+      },
+    );
   });
 
   it('requires a completed or uploaded background check for people completion', async () => {
@@ -125,4 +131,103 @@ describe('computePeopleScore', () => {
 
     expect(mockDb.backgroundCheckRequest.findMany).not.toHaveBeenCalled();
   });
+
+  it('treats an exempt member as complete without a BG check (org-level on)', async () => {
+    // mem_1 has no completed BG check; mem_2 has none either. Mark mem_1 exempt.
+    (mockDb.backgroundCheckRequest.findMany as jest.Mock).mockResolvedValue([]);
+    (mockDb.member.findMany as jest.Mock).mockImplementation(
+      async (args: { where?: { backgroundCheckExempt?: boolean } }) => {
+        if (args?.where?.backgroundCheckExempt === true) {
+          return [{ id: 'mem_1' }];
+        }
+        return [];
+      },
+    );
+
+    const score = await computePeopleScore({
+      organizationId: 'org_1',
+      allPolicies: [],
+      employees: members,
+      securityTrainingStepEnabled: false,
+      deviceAgentStepEnabled: false,
+      backgroundCheckStepEnabled: true,
+      hasHipaaFramework: false,
+    });
+
+    // mem_1 exempt → counts complete; mem_2 not exempt + no BG check → not complete
+    expect(score).toEqual({ total: 2, completed: 1 });
+  });
+
+  it('counts a mix of completed BG checks and exempt members correctly', async () => {
+    // mem_1 has a completed BG check; mem_2 is exempt
+    (mockDb.backgroundCheckRequest.findMany as jest.Mock).mockResolvedValue([
+      { memberId: 'mem_1' },
+    ]);
+    (mockDb.member.findMany as jest.Mock).mockImplementation(
+      async (args: { where?: { backgroundCheckExempt?: boolean } }) => {
+        if (args?.where?.backgroundCheckExempt === true) {
+          return [{ id: 'mem_2' }];
+        }
+        return [];
+      },
+    );
+
+    const score = await computePeopleScore({
+      organizationId: 'org_1',
+      allPolicies: [],
+      employees: members,
+      securityTrainingStepEnabled: false,
+      deviceAgentStepEnabled: false,
+      backgroundCheckStepEnabled: true,
+      hasHipaaFramework: false,
+    });
+
+    expect(score).toEqual({ total: 2, completed: 2 });
+  });
+
+  it('counts every member as complete when all members are exempt', async () => {
+    (mockDb.backgroundCheckRequest.findMany as jest.Mock).mockResolvedValue([]);
+    (mockDb.member.findMany as jest.Mock).mockImplementation(async (args: {
+      where?: { backgroundCheckExempt?: boolean };
+    }) => {
+      if (args?.where?.backgroundCheckExempt === true) {
+        return [{ id: 'mem_1' }, { id: 'mem_2' }];
+      }
+      return [];
+    });
+
+    const score = await computePeopleScore({
+      organizationId: 'org_1',
+      allPolicies: [],
+      employees: members,
+      securityTrainingStepEnabled: false,
+      deviceAgentStepEnabled: false,
+      backgroundCheckStepEnabled: true,
+      hasHipaaFramework: false,
+    });
+
+    expect(score).toEqual({ total: 2, completed: 2 });
+  });
+
+  it('skips the exempt query entirely when backgroundCheckStepEnabled is false', async () => {
+    (mockDb.member.findMany as jest.Mock).mockClear();
+
+    await computePeopleScore({
+      organizationId: 'org_1',
+      allPolicies: [],
+      employees: members,
+      securityTrainingStepEnabled: false,
+      deviceAgentStepEnabled: false,
+      backgroundCheckStepEnabled: false,
+      hasHipaaFramework: false,
+    });
+
+    // The exempt query targets backgroundCheckExempt: true. Confirm it was not called with that arg.
+    const findManyCalls = (mockDb.member.findMany as jest.Mock).mock.calls;
+    const exemptQueryCalled = findManyCalls.some(
+      ([args]: [{ where?: { backgroundCheckExempt?: boolean } }]) =>
+        args?.where?.backgroundCheckExempt === true,
+    );
+    expect(exemptQueryCalled).toBe(false);
+  });
 });
diff --git a/apps/api/src/frameworks/frameworks-people-score.helper.ts b/apps/api/src/frameworks/frameworks-people-score.helper.ts
@@ -61,6 +61,7 @@ export async function computePeopleScore({
     membersWithInstalledDevices,
     trainingCompletions,
     membersWithCompletedBackgroundChecks,
+    exemptMemberIds,
   ] = await Promise.all([
     getMembersWithInstalledDevices({
       organizationId,
@@ -75,6 +76,9 @@ export async function computePeopleScore({
     backgroundCheckStepEnabled
       ? getMembersWithCompletedBackgroundChecks({ organizationId, memberIds })
       : Promise.resolve(new Set<string>()),
+    backgroundCheckStepEnabled
+      ? getExemptMemberIds({ organizationId, memberIds })
+      : Promise.resolve(new Set<string>()),
   ]);
 
   const completed = activeEmployees.filter((employee) => {
@@ -101,7 +105,9 @@ export async function computePeopleScore({
     const hasInstalledDevice = deviceAgentStepEnabled
       ? membersWithInstalledDevices.has(employee.id)
       : true;
-    const hasCompletedBackgroundCheck = backgroundCheckStepEnabled
+    const memberRequiresBgCheck =
+      backgroundCheckStepEnabled && !exemptMemberIds.has(employee.id);
+    const hasCompletedBackgroundCheck = memberRequiresBgCheck
       ? membersWithCompletedBackgroundChecks.has(employee.id)
       : true;
 
@@ -205,3 +211,22 @@ async function getMembersWithCompletedBackgroundChecks({
 
   return new Set(completedBackgroundChecks.map((check) => check.memberId));
 }
+
+async function getExemptMemberIds({
+  organizationId,
+  memberIds,
+}: {
+  organizationId: string;
+  memberIds: string[];
+}) {
+  const exemptMembers = await db.member.findMany({
+    where: {
+      organizationId,
+      id: { in: memberIds },
+      backgroundCheckExempt: true,
+    },
+    select: { id: true },
+  });
+
+  return new Set(exemptMembers.map((member) => member.id));
+}
diff --git a/apps/api/src/organization/dto/update-organization.dto.ts b/apps/api/src/organization/dto/update-organization.dto.ts
@@ -10,4 +10,5 @@ export interface UpdateOrganizationDto {
   isFleetSetupCompleted?: boolean;
   primaryColor?: string;
   advancedModeEnabled?: boolean;
+  backgroundCheckStepEnabled?: boolean;
 }
diff --git a/apps/api/src/organization/organization.controller.spec.ts b/apps/api/src/organization/organization.controller.spec.ts
@@ -1,3 +1,7 @@
+jest.mock('@db', () => ({
+  db: {},
+}));
+
 import { Test, TestingModule } from '@nestjs/testing';
 import { BadRequestException } from '@nestjs/common';
 import { OrganizationController } from './organization.controller';
@@ -169,6 +173,23 @@ describe('OrganizationController', () => {
     });
   });
 
+  describe('updateOrganization', () => {
+    it('passes backgroundCheckStepEnabled through to the service', async () => {
+      mockOrganizationService.updateById.mockResolvedValue({ id: 'org_123' });
+
+      await controller.updateOrganization(
+        'org_123',
+        sessionAuthContext,
+        { backgroundCheckStepEnabled: false },
+      );
+
+      expect(mockOrganizationService.updateById).toHaveBeenCalledWith(
+        'org_123',
+        { backgroundCheckStepEnabled: false },
+      );
+    });
+  });
+
   describe('updateRoleNotifications', () => {
     const validSettings = [
       {

diff --git a/apps/api/src/people/dto/update-people.dto.ts b/apps/api/src/people/dto/update-people.dto.ts
@@ -44,4 +44,14 @@ export class UpdatePeopleDto extends PartialType(CreatePeopleDto) {
   @IsOptional()
   @IsDateString()
   createdAt?: string;
+
+  @ApiProperty({
+    description:
+      'When true, this member is exempt from the org-level background check requirement and will count as complete in people scores.',
+    example: false,
+    required: false,
+  })
+  @IsOptional()
+  @IsBoolean()
+  backgroundCheckExempt?: boolean;
 }
diff --git a/apps/api/src/people/people.controller.spec.ts b/apps/api/src/people/people.controller.spec.ts
@@ -7,6 +7,42 @@ import { PermissionGuard } from '../auth/permission.guard';
 import { PeopleController } from './people.controller';
 import { BadRequestException } from '@nestjs/common';
 
+// Mock @db to avoid PrismaClient initialization in controller tests
+jest.mock('@db', () => ({
+  db: {
+    member: {
+      findMany: jest.fn(),
+      findFirst: jest.fn(),
+      findFirstOrThrow: jest.fn(),
+      create: jest.fn(),
+      update: jest.fn(),
+      delete: jest.fn(),
+      createMany: jest.fn(),
+    },
+    user: { update: jest.fn() },
+    organization: { findUnique: jest.fn() },
+    session: { deleteMany: jest.fn() },
+    task: { findMany: jest.fn(), updateMany: jest.fn() },
+    policy: { findMany: jest.fn(), updateMany: jest.fn() },
+    risk: { findMany: jest.fn(), updateMany: jest.fn() },
+    vendor: { findMany: jest.fn(), updateMany: jest.fn() },
+    organizationChart: { findUnique: jest.fn(), update: jest.fn() },
+  },
+  BackgroundCheckStatus: {
+    pending: 'pending',
+    in_progress: 'in_progress',
+    completed: 'completed',
+    completed_with_flags: 'completed_with_flags',
+    cancelled: 'cancelled',
+  },
+  FindingType: { soc2: 'soc2', iso27001: 'iso27001' },
+  FindingStatus: { open: 'open', closed: 'closed' },
+  PhaseCompletionType: { manual: 'manual', auto: 'auto' },
+  TimelinePhaseStatus: { pending: 'pending', completed: 'completed' },
+  TimelineStatus: { draft: 'draft', active: 'active' },
+  Departments: { it: 'it', none: 'none' },
+}));
+
 // Mock auth.server to avoid importing better-auth ESM in Jest
 jest.mock('../auth/auth.server', () => ({
   auth: {
@@ -220,6 +256,24 @@ describe('PeopleController', () => {
         'usr_123',
       );
     });
+
+    it('passes backgroundCheckExempt through to the service', async () => {
+      mockPeopleService.updateById.mockResolvedValue({ id: 'mem_1' });
+
+      await controller.updateMember(
+        'mem_1',
+        { backgroundCheckExempt: true } as any,
+        'org_123',
+        mockAuthContext,
+      );
+
+      expect(mockPeopleService.updateById).toHaveBeenCalledWith(
+        'mem_1',
+        'org_123',
+        { backgroundCheckExempt: true },
+        'usr_123',
+      );
+    });
   });
 
   describe('deleteMember', () => {

diff --git a/apps/api/src/people/utils/member-queries.ts b/apps/api/src/people/utils/member-queries.ts
@@ -20,6 +20,7 @@ export class MemberQueries {
     jobTitle: true,
     isActive: true,
     deactivated: true,
+    backgroundCheckExempt: true,
     fleetDmLabelId: true,
     user: {
       select: {

diff --git a/apps/app/src/app/(app)/[orgId]/people/[employeeId]/background-check/page.tsx b/apps/app/src/app/(app)/[orgId]/people/[employeeId]/background-check/page.tsx
@@ -59,6 +59,7 @@ export default async function EmployeeBackgroundCheckPage({
           }
         }
         backgroundCheckStepEnabled={backgroundCheckStepEnabled}
+        memberBackgroundCheckExempt={employee.backgroundCheckExempt === true}
       />
     </PageLayout>
   );

diff --git a/apps/app/src/app/(app)/[orgId]/people/[employeeId]/components/Employee.tsx b/apps/app/src/app/(app)/[orgId]/people/[employeeId]/components/Employee.tsx
@@ -42,6 +42,7 @@ interface EmployeeProps {
   initialBackgroundCheck: BackgroundCheckRecord | null;
   initialBackgroundCheckBillingStatus: BackgroundCheckBillingStatus;
   backgroundCheckStepEnabled: boolean;
+  memberBackgroundCheckExempt: boolean;
 }
 
 export function Employee({
@@ -59,6 +60,7 @@ export function Employee({
   initialBackgroundCheck,
   initialBackgroundCheckBillingStatus,
   backgroundCheckStepEnabled,
+  memberBackgroundCheckExempt,
 }: EmployeeProps) {
   const searchParams = useSearchParams();
   const querySelectedTab: EmployeeTab =
@@ -67,6 +69,13 @@ export function Employee({
       ? 'background-check'
       : 'details';
   const [activeTab, setActiveTab] = useState<EmployeeTab>(querySelectedTab);
+  const [memberExempt, setMemberExempt] = useState(memberBackgroundCheckExempt);
+  const [lastSyncedExempt, setLastSyncedExempt] = useState(memberBackgroundCheckExempt);
+
+  if (memberBackgroundCheckExempt !== lastSyncedExempt) {
+    setLastSyncedExempt(memberBackgroundCheckExempt);
+    setMemberExempt(memberBackgroundCheckExempt);
+  }
 
   useEffect(() => {
     if (querySelectedTab === 'background-check') {
@@ -82,6 +91,7 @@ export function Employee({
           orgId={orgId}
           backgroundCheck={initialBackgroundCheck}
           backgroundCheckStepEnabled={backgroundCheckStepEnabled}
+          memberBackgroundCheckExempt={memberExempt}
         />
       }
     >
@@ -140,6 +150,8 @@ export function Employee({
                 initialBackgroundCheck={initialBackgroundCheck}
                 initialBillingStatus={initialBackgroundCheckBillingStatus}
                 backgroundCheckStepEnabled={backgroundCheckStepEnabled}
+                memberBackgroundCheckExempt={memberExempt}
+                onMemberBackgroundCheckExemptChange={setMemberExempt}
               />
             </TabsContent>
           )}
-Original file line number
+Diff line change
@@ Expand Up / @@ -59,6 +59,7 @@ export default async function EmployeeBackgroundCheckPage({ @@
               }
             }
             backgroundCheckStepEnabled={backgroundCheckStepEnabled}
+            memberBackgroundCheckExempt={employee.backgroundCheckExempt === true}
           />
         </PageLayout>
       );
@@ Expand Down @@