Regulated environments
Experience you can audit.
Healthcare, payments, financial services, privacy regimes: a decade of delivering to the frameworks that govern them. What follows is the evidence — case studies you can read, and practices you can inspect — not adjectives.
Hard evidence
The record, engagement by engagement.
Every line below cites the framework the engagement was delivered to or under, and links to a published case study. Where the client is anonymized, it’s because the engagement shipped under NDA — the work is real either way.
- HIPAA · Healthcare
A multi-tenant ePHI architecture on AWS — VPC isolation, CloudTrail/CloudWatch audit logging, minimum-necessary IAM — designed HIPAA-compliant from day one.
Designing a HIPAA-compliant infrastructure for a startup in the mental health industry → - PCI DSS · Incident response
A card-skimming breach contained, the platform patched current, and the client carried through PayPal’s digital-forensic (DFIR) investigation and bank inquiries to closure.
Securing e-commerce with a swift response to a card skimming attack → - PCI DSS · Payments
An automated card-testing attack halted within hours; payment processing restored in under two weeks — hardened, with a backup processor and anomaly alerting in place.
Preventing and responding to card testing attacks for e-commerce → - HIPAA · Healthcare data
Four disconnected systems unified into one governed warehouse with self-serve BI, for a multi-location pharmacy group inside a growing healthcare organization.
From siloed tools to a single source of truth: a data platform and self-serve BI for a pharmacy group → - GIPS · Financial services
GIPS attestation software handling billions in composite-return calculations — years of encoded financial logic kept stable and advancing through a critical staffing transition.
Handling billions in portfolio calculations with a fractional team → - GDPR / CCPA / ISO/IEC 27701 · Data minimization
Client-side vendor scripts replaced with one server-side stream: sensitive parameters stripped before transmission, every vendor receiving only the minimum necessary data.
Maximizing client opportunity by transforming data collection for the cookieless future → - GDPR / ISO/IEC 27701 · Global data governance
Standardized, compliant data collection across a global gaming portfolio — runbooks, an SOP wired into the development lifecycle, and 7.5× faster launches.
Restructuring data collection creates 7.5x faster launches for a global gaming brand →
Delivering in regulated environments
When the rules are non-negotiable, that’s our comfort zone.
The frameworks we design and deliver to — not certifications we hold.
- HIPAA Health Insurance Portability and Accountability Act Federal safeguards for protected health information (PHI).
- HITRUST CSF HITRUST Common Security Framework Certifiable framework harmonizing healthcare security and privacy controls.
- SOC 2 Type II Service Organization Control 2 Audited operating effectiveness of security controls over time.
- ISO/IEC 27001 Information Security Management International standard for an information security management system.
- ISO/IEC 27701 Privacy Information Management Privacy extension to 27001 for managing personal data (PII).
- GDPR General Data Protection Regulation EU framework governing personal-data collection, processing, and transfer.
- CCPA / CPRA California Consumer Privacy Act California rights over collection, use, and sale of personal data.
- COPPA Children's Online Privacy Protection Act U.S. protections for the online privacy of children under 13.
- PCI DSS Payment Card Industry Data Security Standard Controls for securely handling and storing payment-card data.
- NIST PF 2.0 NIST Privacy Framework Risk-based model for identifying and managing privacy risk.
- NIST CSF 2.0 NIST Cybersecurity Framework Govern–identify–protect–detect–respond–recover risk management.
- CIS v8 CIS Critical Security Controls v8 Prioritized safeguards for modern cloud and hybrid environments.
…and the rest of the alphabet soup. Tell us your regime — we’ll meet it.
Operating posture
Process that stands up to diligence.
Compliance fails in the gaps between intentions and habits. These are the habits — and this site is built under the same rules, so run Lighthouse on it.
-
Decisions on the record
Significant architecture decisions are written down as decision records when they’re made — so a reviewer can read why the system is the way it is instead of reverse-engineering it.
-
Infrastructure as code
The config plane lives in version-controlled Terraform: reviewable, repeatable, and diffable. No console drift, no tribal knowledge standing in for an audit trail.
-
A gated path to production
Protected mainline; every change passes type checks, lint, unit and end-to-end tests, and performance budgets before it ships. A red build is a stop-the-line event.
-
Privacy and minimum necessary by default
Privacy-first analytics with no cookie banner, PII collected minimally and retained deliberately, secrets kept out of source control, least-privilege access.
-
Accessibility as a floor
WCAG 2.2 AA is a non-negotiable on everything we ship — semantics, keyboard, focus, contrast — not a remediation project after launch.
-
Your perimeter, your tools
We work inside your cloud accounts, your repositories, your access controls, and your work OS — so nothing about the engagement weakens the boundary you answer for.
For the procurement file
Three things we’d rather say now than in the review.
We deliver to your framework. We are not your auditor.
We design and engineer to the controls and produce the artifacts an assessor asks for — architecture and data-flow diagrams, decision records, audit logging, runbooks. Certification of your organization stays with your auditor, where it belongs.
Confidentiality is the norm here.
Most regulated engagements ship under NDA — it’s why several of the case studies above are anonymized. We’ll share what we can, and tell you plainly what we can’t.
Bring the questionnaire.
Security questionnaires, vendor reviews, and procurement diligence are an expected part of working with us — answered directly by the senior people who do the work, not a proposals team.
Have a framework to meet?
Tell us the standard and the deadline. We reply within one business day.