service
Security & infrastructure.
Hardened hosting + observability + security protocols for the modern web stack. We treat it as the foundation, not a checkbox.
What this covers
The infrastructure and security baseline underneath everything else we operate. Hosting, DNS, TLS, the CDN configuration, the WAF rules, observability (logs, metrics, traces), backups, secret management, the deploy pipeline, the access-control story, and the incident-response runbook. The work that doesn’t show up on the marketing site but determines whether the marketing site exists at all on the day something goes wrong.
Where most agencies fall short
Most marketing-agency websites are hosted on a shared WordPress account where the agency reuses one set of credentials across thirty clients. The WAF is “we use Cloudflare’s free tier.” The backup story is “the platform takes nightly snapshots.” There is no incident-response runbook. There is no log retention. When something breaks — and it will — the response is “we filed a ticket.”
We operate at a different baseline because the work we ship demands it: the Vercel/Netlify CDN tier with WAF rules tuned to the application; a one-deploy-per-engineer access model; daily off-site backups to a separate provider; centralized log aggregation with retention measured in months, not days; PagerDuty or equivalent for the on-call rotation; a documented runbook for every public-facing surface.
What we operate
Hosting and CDN
Vercel, Netlify, or Cloudflare Pages for static sites; Vercel/Render/Fly.io for SSR; AWS or GCP where the workload justifies the operational overhead. We pick by the workload, not by the agency-relationship discount.
TLS, DNS, domains
Domain registration where the firm owns it; DNS on Cloudflare or Route53; TLS via the platform’s managed certs (Let’s Encrypt-backed) with auto-renewal monitored. We catch the certificate-expiry incident before the user does, every time.
WAF, rate limits, bot management
Cloudflare WAF for most clients (the managed ruleset is meaningfully better than the OWASP defaults at this point). Rate limits tuned per-endpoint. Bot-management rules that distinguish legitimate AI crawlers (per our GEO allowlist) from scraping abuse.
Observability
Centralized logs (Datadog, Better Stack, Axiom, or self-hosted with Loki where the workload justifies it). Metrics on the application-specific signals that matter — conversion-funnel completion, intake-form abandonment, API error rates. Alerting on what we can do something about, never on volume thresholds that just generate noise.
Backups and disaster recovery
Daily off-site backups to a separate provider (we don’t trust the platform’s snapshots as the only line of defense). Documented restoration procedure. We run a restore drill quarterly so the procedure is real, not theoretical.
Secret management
1Password Teams or HashiCorp Vault for secrets. Per-environment scoping. No long-lived credentials in CI logs or in the codebase. Service-account credentials rotated on a documented cadence.
Access control
Per-engineer credentials, never shared. SSO where the platform supports it. Audit logs retained for at least 12 months. Offboarding runs the same day as the engineer’s last day, every time.
What we don’t do
We don’t pretend to be a SOC. Real security operations (24/7 monitoring, incident response with regulatory disclosure obligations, formal compliance audits like SOC 2 Type II or HIPAA) require a specialized partner — Vanta, Drata, A-Lign, or a security firm that does that work full-time. We operate the day-to-day baseline and coordinate with that partner where the firm’s regulatory profile demands one.
Frequently asked questions
Do you do penetration testing?
We coordinate it; we don’t perform it. Real pen-testing is a specialized capability and we use named firms (Bishop Fox, NCC Group, Doyensec) that do it full-time.
What’s your incident-response time?
Within 15 minutes on PagerDuty alerts, 24/7. The runbook for each public-facing surface defines the escalation path; we follow it without exception.
Are you SOC 2 compliant?
The firm operates with SOC-2-compatible practices — access control, logging, vendor management, backup integrity — but we are not ourselves a SOC-2-audited entity, and we’d be lying if we said we were. If your business needs a SOC-2-attested vendor, we’ll tell you so and recommend partners that are.
Can you migrate us off our existing platform?
Usually yes, depending on the platform and the data. WordPress to Astro is a well-understood migration; Wix to anything-modern is well-understood; custom legacy stacks need a discovery phase before we can scope it. We’ve seen most of the migrations and we tell you what we don’t know upfront.