SERVICES / SECURITY & INFRA HARDENING
The security and infrastructure work that due diligence actually checks for.
Encryption at rest, working identity and access control, audit logging, and infrastructure that recovers cleanly from failure — built into the codebase, so your security-questionnaire answers hold up under scrutiny.
01
WHO THIS IS FOR
- Early-stage SaaS teams that know their security posture has gaps but don't have a security engineer on staff to close them.
- Companies preparing for a security questionnaire, SOC 2 process, or investor/enterprise-customer due diligence, and need the underlying engineering to match the answers on paper.
- Teams handling financial, health, or other regulated-adjacent data who need encryption and access control done correctly the first time.
02
WHAT'S INCLUDED
- Envelope encryption for sensitive columns: a two-tier key model — a root key (KEK) held in environment/secrets configuration, versioned to support rotation, wrapping per-tenant data encryption keys (DEKs). Sensitive fields (tokens, account identifiers, PII) are stored as AES-256-GCM ciphertext, with additional authenticated data bound to the tenant and column so ciphertext can't be silently moved between rows or tenants. Where encrypted fields need unique-index lookups, deterministic blind-index hashing replaces plaintext comparison.
- Identity and access control: WebAuthn/passkey support, TOTP multi-factor authentication with recovery codes, per-session revocation (so suspending a user takes effect immediately, not on next token expiry), and zero-trust fingerprint binding on the request paths that matter most (financial actions, admin surfaces, security self-service).
- Append-only audit logging on every sensitive read and write (actor, IP, user agent, timestamp), indexed so you can actually investigate an incident, not just tick a compliance box.
- CI/CD hardening: GitHub Actions pipelines with lint/typecheck/build gates, container vulnerability scanning (fails the pipeline on CRITICAL findings), and secrets that never touch the repository in plaintext (SOPS + age-encrypted secrets, decrypted only at deploy time on the target host).
- Backup and disaster recovery that's actually been exercised: a provisioning script that doubles as the recovery runbook, so "restore from backup" isn't a paragraph nobody's tested.
- Multi-stage Docker builds and docker-compose topologies that separate concerns (app, worker, database, tunnel) cleanly enough to reason about and to scan individually.
03
ENGAGEMENT SHAPES
- Assessment (1–2 weeks, fixed fee): a structured review against the categories above (encryption, access control, audit coverage, CI/CD, secrets, backup/DR), delivered as a prioritized report you can act on rather than a generic checklist.
- Sprint (2–6 weeks, fixed scope): close a specific, high-priority gap — e.g., "move access tokens from plaintext to envelope-encrypted columns" or "add MFA and session revocation to the auth flow."
- Retainer: ongoing security engineering as the product surface grows: new sensitive data types, new integrations, new compliance requirements.
04
FAQ
Q1We're pre-revenue — is this overkill for us?
Depends what you're storing. If it's financial data, health data, or anything an enterprise customer's security team will ask about, the cost of retrofitting encryption and access control after the fact is materially higher than building it in from the start. The assessment will give you a straight answer on what's actually urgent versus what can wait.
Q2Can you help us pass a SOC 2 audit or fill out a security questionnaire?
The engineering work here (encryption, access control, audit logging, CI/CD hardening) is exactly what those processes check for, and having it actually implemented makes both go faster. To be clear, this isn't a compliance-paperwork service. It's the underlying engineering the paperwork is supposed to attest to.
Q3Do you handle infrastructure (servers, Docker, deploy pipelines) or only application code?
Both, and I treat the two as one problem. Encrypting a column doesn't help if the key management around it is sloppy, and a clean data model doesn't help if the deploy pipeline leaks secrets into logs.
GET IN TOUCH