Security & standards

Built carefully. Held to a high standard.

Every piece we make is built to the same baseline of security, privacy, and engineering quality — whether it is a small marketing site or a piece of software people rely on every day. These are the standards we hold ourselves to.

Privacy by default

We collect the minimum information required for a piece to work — no more. Analytics, where used, are anonymous and self-hosted or cookie-free. We never sell, share, or repurpose data collected on your behalf.

Data handling

Personal data is encrypted in transit (TLS 1.2+) and at rest. Access is restricted to the smallest possible set of people, with audit logs for sensitive operations. Backups are encrypted and tested.

Authentication & access

Where accounts exist, we use modern, well-audited authentication providers with secure password hashing, optional multi-factor authentication, and short-lived session tokens. Admin access is gated by strong, unique credentials and MFA.

Authorisation & row-level security

Every database query runs under explicit access rules. Roles are stored in dedicated tables, never on user records, to prevent privilege escalation. We default to deny — a user can only see and change what they have been explicitly granted.

Server-side validation

Anything submitted from a browser — form fields, uploads, URL parameters — is re-checked on the server before it is trusted or saved. We apply strict schemas, length limits, format checks and allow-lists as standard, so bad or malicious input never reaches your data.

Secrets management

API keys, signing secrets, and credentials are stored in encrypted secret stores, scoped per environment, and rotated on a regular cadence and on every relevant personnel change. Secrets are never committed to source control.

Dependencies & supply chain

We keep dependency trees small and deliberate. Each addition is reviewed. Automated scans flag known vulnerabilities, and we patch promptly. Build outputs are pinned and reproducible.

Hosting & infrastructure

Production runs on reputable edge hosting with DDoS protection, automatic TLS, and isolated environments for development, preview, and production. Logs are retained for a defined window and access is restricted.

Secure development lifecycle

Every change goes through review. Sensitive areas — authentication, payments, data exports — receive extra scrutiny. We run automated security scans on each build and address high-severity findings before release.

Webhooks & public endpoints

Public endpoints verify signatures before processing any payload. We use constant-time comparisons, validate inputs, and refuse anything that does not match the expected shape.

Accessibility & inclusion

Security includes the right to use a thing safely. We build to WCAG 2.2 AA, test with keyboard and screen readers, and treat accessibility as a baseline, not a feature.

Preparedness & continuity

Backups, monitoring and clear rollback paths are in place from day one, so the work stays reliable and recoverable. If anything ever needs attention, we have the processes ready to act quickly and keep you informed.