Security overview
We build software for regulated and security-conscious teams. Our standard engagements include secure-by-default defaults: encrypted transport, least-privilege access, audited deploys, and observable operations.
Application controls we ship
- Schema-validated inputs and rate limiting on sensitive routes
- OIDC + role-based access control with short-lived tokens
- Correlation IDs and structured logging across services
- Immutable audit events for privileged and financial actions
- Content security headers and hardened cookie policies
- SBOMs and dependency scanning on every release
How we operate
Engineers work from managed devices with disk encryption and MFA on all production-adjacent accounts. Customer data is segregated by project and access is removed when an engagement ends.
Disclosure
Report suspected vulnerabilities via our responsible disclosure channel.