Trust Compliance
HIPAA-aware healthcare projects, GDPR data handling for EU clients, WCAG 2.1 AA accessibility on every public surface, SOC-style reporting for enterprise procurement. The compliance work below is shipped, not aspirational.
Compliance is a procurement requirement for most enterprise engagements. It is also an engineering requirement done well or done badly. We treat it as engineering. Read the regulation, identify the technical safeguards, build them in, document them, and have the documentation ready before procurement asks.
Where we have shipped
Not a checklist of intentions. Each area below describes work shipped on customer projects that passed compliance review.
01
We have shipped patient-portal and provider-facing applications under HIPAA. PHI never lands on systems we control. Audit trails, access controls, and encryption-at-rest follow HIPAA technical safeguards. BAA signed with hosting partners as needed.
PHI handled with the controls auditors expect to see.
02
Standard DPA available before any customer PII enters our systems. Data minimization is the default. Right to be forgotten, data export, consent management, all built into the projects we ship for EU clients.
GDPR compliance baked into the project, not bolted on.
03
Every public-facing surface we build targets WCAG 2.1 AA conformance. Semantic HTML, keyboard navigation, screen reader support, color contrast checks, focus indicators. Accessibility audits run before launch, not after a complaint.
Accessible by build, not by retrofit.
04
For payment integrations we use Stripe, PayPal, or your existing PCI-DSS compliant processor. Card data never touches our infrastructure. Tokenized flows, hosted fields, webhook signature validation, the standard PCI-aware patterns.
Payment integrations stay in PCI scope of the processor.
05
For enterprise procurement we provide SOC-style summaries covering access controls, change management, incident response, and vendor management. Not a SOC 2 audit, but the documentation enterprise vendor reviews ask for.
Procurement reviews close in days, not months.
06
We have shipped projects under FERPA for education clients, GLBA for finance clients, and various country-specific regulations. The pattern is the same: read the regulation, identify the technical safeguards, build them in, document them.
New regulations get treated as engineering requirements.
WCAG 2.1 AA is the bar for every public-facing surface we build. Semantic HTML, keyboard navigation, screen reader support, color contrast checks, focus indicators, alt text on every image. Accessibility audits run before launch using axe-core, manual keyboard testing, and screen reader walkthroughs.
For projects that target WCAG 2.2 AA or AAA, we adjust the bar accordingly and adjust the timeline to match. AAA conformance has implications for design choices that we discuss in discovery.
Procurement reviews are faster when documentation is already in place. We maintain ready-to-share packets for the common compliance asks: GDPR DPA, security questionnaire responses, HIPAA technical safeguards summary, accessibility audit template, vendor security overview.
Most enterprise procurement reviews close within two weeks of project kickoff because the documentation does not need to be written from scratch.
We are not SOC 2 certified. We are not a HIPAA covered entity. We do not sell PCI-DSS compliance attestations. We are an engineering partner that works inside customer compliance frameworks, not a compliance vendor. If your project needs a certification we do not hold, we tell you up front and recommend the right partner for that piece.
Common questions
No, we are not SOC 2 certified. We are a small product engineering team and a SOC 2 audit is not currently on the roadmap. We do provide SOC-style documentation that covers the controls auditors look for, which has been sufficient for the enterprise procurement we work with.
Yes. We adapt to your existing legal framework. If your BAA or DPA needs a counterparty signature, we sign before any data flows. Standard terms work for most engagements.
We work as a business associate to covered entities, not as a covered entity ourselves. Hosting and infrastructure are routed through HIPAA-eligible vendors with BAAs in place.
Same pattern as GDPR. Read the regulation, identify the technical safeguards, build them in, document them. We have shipped projects under LGPD (Brazil) and POPIA (South Africa) by following the same engineering approach we use for GDPR.
Need a compliance documentation packet?
Standard compliance documentation ships within four business hours of request. Bespoke questionnaires complete within four business days.
