Compliance & regulated builds
Built for regulated industries.
If your product touches health records or European personal data, compliance can't be an afterthought. We've built under HIPAA and design to GDPR — and we sign the agreements to back it.
HIPAA
For products handling Protected Health Information. See our healthcare software development.
- Protected Health Information (PHI) treated as sensitive from day one — encrypted in transit and at rest, access logged and scoped to least privilege.
- Audit trails on access to health records, so who-saw-what is answerable.
- Role-based access control and secure authentication designed into the data model, not added later.
- We will sign a Business Associate Agreement (BAA) before handling PHI.
GDPR
For products processing EU personal data. Backed by a signed Data Processing Agreement.
- Data-minimisation by design — we collect and retain only what the product genuinely needs.
- Support for data-subject rights: access, export and deletion built into the product where it applies.
- Clear separation of personal data, with encryption and access controls around it.
- We provide a signed Data Processing Agreement (DPA) where we process EU personal data on your behalf.
A straight word on this: compliance is a property of your whole operating environment — code, hosting, policies and people — not the software alone. We build the technical foundations right and sign the agreements we can stand behind. We'll always be clear about the line between the practices we follow and formal third-party certifications we don't currently hold.
Compliance FAQ
Can you build a HIPAA-compliant application?
Yes. We've built software that handles Protected Health Information under HIPAA, and we design for it from the start — encryption, audit logging, least-privilege access and role-based controls. We will sign a Business Associate Agreement before handling PHI. Note that HIPAA compliance is a property of the whole operating environment, not just the code, so we work with you and your hosting/operations to get there.
Do you sign a BAA?
Yes — we sign a Business Associate Agreement before we handle any Protected Health Information on your behalf.
Are you GDPR compliant?
We follow GDPR data-handling practices — data minimisation, support for data-subject rights, and encryption and access controls around personal data — and we provide a signed Data Processing Agreement where we process EU personal data for you.
Do you hold SOC 2 or ISO 27001 certification?
Not currently. We follow the security practices those frameworks are built on — code review, environment isolation, least-privilege access and a secure development lifecycle — and we're transparent about the difference between practising those controls and holding a formal third-party certification. If your procurement requires a specific attestation, tell us early and we'll be straight with you about what we can and can't provide.
First time hiring a dev team?
Our fixed-price Scoping Sprint lets you see how we work before you commit — and you keep everything we produce.


