Our Process

The governance journey

Ten structured stages. Every one reduces risk, adds verifiability, and builds the evidence base your investors, customers and regulators expect. At the end: a certified, production-ready product.

Talk about your project → View service tiers
JUMP TO: 01 Code Review 02 Security 03 Compliance 04 Pen Test 05 Performance 06 Documentation 07 Accessibility 08 AI Validation 09 Legal ✦ Certification
01
Code quality & maintainability

AI Code Review & Refactoring

AI coding tools optimise for speed and functionality — not for the humans who will maintain the code for years afterward. We begin by making the codebase readable, structured, and defensible.

  • Full codebase review against industry coding standards
  • Modularisation and separation of concerns
  • Naming conventions and documentation baseline
  • Dead code identification and removal
  • Performance optimisation at the code level
  • Dependency audit — version pinning and update strategy
  • Technical debt register with prioritised remediation
02
Static analysis & security posture

Security Audit & Vulnerability Scanning

AI-generated code frequently produces authentication logic, input handling, and API patterns that appear functional but contain exploitable security flaws. We find them before your users — or attackers — do.

  • Static analysis for OWASP Top 10 vulnerabilities
  • Authentication and session management review
  • Input validation and injection vulnerability scan
  • Data handling: encryption in transit and at rest
  • Secrets management — hardcoded credentials and API key exposure
  • Third-party dependency vulnerability check (CVE database)
  • API endpoint exposure and access control review
03
GDPR, ISO 27001 & regulatory alignment

Compliance Checks

Regulatory compliance isn't optional for any product handling user data. AI tools don't reason about compliance — they generate code that functions. We ensure it functions within the legal and regulatory framework your product operates in.

  • GDPR compliance review — consent, data minimisation, right to erasure
  • Data residency and processor documentation
  • Privacy-by-design principles audit
  • Error handling and logging — no PII in logs
  • ISO 27001 alignment assessment (where required)
  • Cookie and tracking compliance
  • Data retention and deletion policy verification
04
Active exploitation testing

Penetration Testing — CREST Approved

A security audit finds what's visible in code. A penetration test finds what's exploitable in practice. We run active, structured penetration tests mapped to OWASP against your staging environment — never production. All penetration testing is delivered by CREST Approved engineers.

  • Comprehensive OWASP-mapped penetration test
  • Authentication bypass and privilege escalation
  • IDOR (Insecure Direct Object Reference) testing
  • API abuse and rate limit testing
  • Business logic vulnerability testing
  • Data exposure and over-fetching tests
  • Remediation plan for every finding with severity rating
05
Load testing & growth ceiling analysis

Performance & Scalability Testing

A product that works for ten users and fails for a thousand isn't production-ready. We simulate real load against your application and identify the architectural constraints before your growth curve reveals them.

  • Load simulation against expected user volumes
  • Stress testing to identify failure thresholds
  • Database query performance under concurrent load
  • CDN and asset delivery optimisation
  • API rate limit mapping under peak traffic
  • Concurrency and deadlock analysis
  • Scalability ceiling report with growth trigger thresholds
06
Handover-ready codebase

Documentation & Maintainability

AI-generated code is rarely documented for the development team that inherits it. A product is only commercially sustainable if it can be understood, extended, and supported by humans — with or without the AI tool that generated it.

  • Full codebase documentation (inline and external)
  • Architecture decision record (ADR) creation
  • API documentation and endpoint reference
  • Developer onboarding guide
  • Maintenance procedures and runbook
  • Known limitations and technical debt register
  • Support escalation structure
07
WCAG compliance & usability

UX & Accessibility Review

AI-generated UI is often functional but not accessible. WCAG compliance is increasingly a legal requirement — and a commercial expectation in enterprise and public sector contexts.

  • WCAG 2.1 AA compliance audit
  • Keyboard navigation and screen reader testing
  • Colour contrast and visual accessibility checks
  • Form label, error message and focus management
  • Mobile responsiveness and touch target review
  • Usability review against core user journeys
  • Accessibility remediation recommendations
08
Fairness, ethics & reliability

AI Model Validation & Bias Checks

If your product includes AI components — recommendations, classification, scoring, generation — those components need validation. Bias in AI outputs creates reputational, legal, and regulatory risk that no amount of clean code prevents.

  • AI output audit for consistency and reliability
  • Bias assessment across protected characteristics
  • Edge case and adversarial input testing
  • Hallucination and confidence calibration review
  • Human oversight and intervention point documentation
  • AI ethics alignment check
  • Ongoing monitoring recommendations
10
Governance certificate & deployment

Final Certification & Launch Readiness

When all governance stages are complete and findings remediated, we issue a final governance certification — a verifiable record that your product has been taken through our structured, CREST-approved governance process. Then we help you launch.

  • Final governance certification document
  • Executive summary safe for investor data rooms
  • Remediation verification — all critical/high findings confirmed closed
  • Launch readiness checklist sign-off
  • Deployment guidance for your hosting platform
  • Post-launch monitoring recommendations
  • Optional: CI/CD pipeline setup (see DevOps add-on)
Add-on service

Deployment & DevOps Readiness

Once governance is complete, we can set up everything needed for continuous, consistent, and secure deployment — from secure repository configuration through to automated CI/CD pipelines that carry your product from code commit to production reliably, every time.

  • Secure repository setup and access controls
  • Automated CI/CD pipeline configuration
  • Branch strategy and protection rules
  • Automated testing gates in the pipeline
  • Environment configuration management
  • Deployment rollback and recovery procedures
  • Monitoring and alerting setup
  • Developer team handover and pipeline documentation
Talk to us about DevOps readiness →
Start the journey

Tell us what you've built. We'll tell you what it needs.

All projects are scoped individually. No off-the-shelf packages — the right governance stages for your product, your risk profile, and your timeline.

Talk to us → Free readiness checklist