Requirements Discovery
Structured workshops, stakeholder interviews, and process mapping sessions to surface real requirements and uncover hidden complexity early.
UX/UI Design
High-fidelity Figma designs, interactive prototypes, and component libraries. Designs are tested with stakeholders before development starts.
Information Architecture
Sitemap design, user journey mapping, and navigation strategy to ensure your platform is intuitive and scalable from day one.
Responsive & Accessible Design
Mobile-first, WCAG 2.1 AA compliant designs that work flawlessly across all devices and are inclusive to all users.
- Project brief & requirements document
- Wireframes & user journey maps
- High-fidelity Figma designs (all breakpoints)
- Interactive prototype for stakeholder review
- Component / design system library
- Technical architecture document
- Project plan & sprint structure
- Acceptance criteria per user story
.NET / ASP.NET Core / Blazor
Full-stack Microsoft development. Blazor WebAssembly, Blazor Server, Blazor Hybrid, and ASP.NET Core Razor Pages — we specialise where others generalise.
API Design & Integration
RESTful APIs, GraphQL endpoints, and complex third-party integrations. Versioned, documented, and secured from the outset.
Database Engineering
Relational and NoSQL databases designed for performance and scalability. Schema design, migration strategies, and query optimisation.
Quality & Testing
Unit, integration, and end-to-end testing baked into every sprint. Code reviews on every commit. No release escapes without validation.
- Working software to staging every week
- Daily standups & progress transparency
- Code review on every pull request
- Automated test coverage enforced
- Git-based version control (GitHub / Azure DevOps)
- Semantic versioning & release tagging
- Technical documentation maintained
- Responsive to change requests within the sprint
CI/CD Pipelines
Automated build, test, and deployment pipelines. Every commit triggers a build; every merge triggers a staged deployment with quality gates.
Environment Management
Dev, Staging, and Production environments with parity. No more "works on my machine" — environments are code-defined and reproducible.
Branching Strategy
GitFlow or trunk-based development depending on team size and release cadence. Enforced branch policies, protected main branches, and PR templates.
Infrastructure as Code
All infrastructure defined in version-controlled code. Reproducible, auditable, and disaster-recovery ready. No more manual cloud console clicking.
Containerisation
Docker containerisation for consistent deployments across environments. Container orchestration via Azure Container Apps or AKS for scalable workloads.
Release Management & Rollback
Controlled release gates, approval workflows, and instant rollback capability. Zero-downtime deployments using blue/green or canary strategies.
OWASP Top 10 Protection
Every application is hardened against the OWASP Top 10: injection, XSS, insecure deserialization, broken access control, and more — by default.
Authentication & Authorisation
Modern identity flows with OAuth2, OpenID Connect, and Azure AD B2C. MFA enforcement, role-based access control, and zero-trust principles.
Data Encryption
Data encrypted at rest and in transit. TLS 1.3 enforced. Sensitive fields encrypted at the application layer with managed key rotation.
Secrets Management
Zero secrets in code. All credentials, connection strings, and API keys managed via Azure Key Vault with access policies and audit logging.
GDPR & UK GDPR Compliance
Data protection built into architecture: right to erasure, data minimisation, consent management, and DPA-compliant processing agreements.
Dependency & Supply Chain Security
Automated vulnerability scanning on every build. Dependabot alerts, NuGet audit, and Software Composition Analysis to catch issues before they ship.
- Security headers configured (CSP, HSTS, X-Frame-Options)
- API rate limiting & throttling
- Audit logging on sensitive operations
- Error handling without sensitive data exposure
- Least-privilege access on all service accounts
- Security review checklist per release
Black-Box Assessment
External attacker simulation with zero prior knowledge. Tests real-world attacker perspective: reconnaissance, enumeration, exploitation.
Grey & White-Box Assessment
Credentialed and source-level testing for deeper coverage. Finds vulnerabilities that external scans miss — logic flaws, privilege escalation, IDOR.
Web Application Testing
Full OWASP Web Security Testing Guide (WSTG) methodology. SQL injection, XSS, SSRF, XXE, authentication bypass, session management flaws.
API Security Testing
REST and GraphQL API testing for broken object level authorisation, mass assignment, API key exposure, and rate-limit bypass.
CVSS Risk Scoring & Reporting
Every finding scored using CVSS v3.1. Executive summary, technical findings, proof-of-concept evidence, and prioritised remediation guidance.
Remediation & Retest
We don't just find it and leave. Remediation guidance, developer walkthrough, fix validation, and formal retest with sign-off letter.
Stripe
Full Stripe integration: Checkout, Payment Intents, Subscription billing, Connect (marketplaces), Invoicing, and Customer Portal. SCA-ready out of the box.
PayPal & Alternatives
PayPal Orders API, Braintree, BACS Direct Debit (via GoCardless), and open banking payment initiation. We implement what your customers prefer.
PCI DSS & SCA Compliance
PCI DSS scope reduction via hosted fields and tokenisation. SCA / 3DS2 authentication flows that comply with FCA requirements and reduce friction.
Webhooks & Event Processing
Idempotent webhook handlers with signature verification, retry logic, dead-letter queues, and full event audit logging. Reliable at scale.
Subscription & Billing Engines
Complex subscription logic: trials, upgrades, downgrades, proration, metered billing, and dunning management. Built for SaaS and recurring revenue models.
Reconciliation & Reporting
Payment reconciliation hooks, payout reporting, and financial data exports. Connects to your accounting systems (Xero, QuickBooks) where needed.
Azure App Service & Container Apps
Right-sized hosting for your workload. App Service for straightforward web apps; Container Apps for microservices and event-driven scaling.
Azure Kubernetes Service (AKS)
Enterprise container orchestration for high-traffic, complex microservice architectures. Managed upgrades, auto-scaling node pools, and service mesh.
Azure Front Door & CDN
Global load balancing, intelligent routing, WAF integration, and edge caching at 200+ global PoPs. First-byte time under 100ms worldwide.
Database as a Service
Managed database services with automated backups, point-in-time restore, geo-replication, and connection pooling. No DBA overhead for clients.
Auto-Scaling & Load Balancing
Rule-based and metric-driven scaling that responds to real demand. Handle Black Friday traffic spikes without over-provisioning on quiet days.
Multi-Region & Disaster Recovery
Active-passive and active-active multi-region deployments. Azure Traffic Manager, geo-redundant storage, and tested DR runbooks.
Application Performance Monitoring
Azure Application Insights and custom dashboards tracking response times, failure rates, dependency health, and business KPIs in real time.
Alerting & Incident Response
Proactive alerting on anomalies, error spikes, and latency thresholds. On-call escalation paths and defined incident response runbooks.
Cost Management & Optimisation
Monthly cost reviews, rightsizing recommendations, reserved instance analysis, and Budget Alerts. We actively reduce your Azure bill.
Centralised Logging
Log Analytics workspace aggregating all application, infrastructure, and security logs. Queryable via KQL with long-term retention policies.
Scheduled Maintenance
Planned maintenance windows for OS patching, certificate renewals, dependency updates, and infrastructure upgrades — communicated and agreed in advance.
Monthly Reporting
Concise monthly reports covering uptime, performance trends, cost summary, security events, and upcoming actions. Always kept in the loop.
Virtual Networks & Network Security
Azure VNets, subnets, NSGs, and Private Endpoints. Applications isolated from the public internet wherever possible. Inbound traffic controlled by policy.
DNS & SSL/TLS Management
Azure DNS zones, custom domain management, and automated SSL certificate provisioning via Azure-managed or Let's Encrypt with auto-renewal.
Backup & Disaster Recovery
Automated daily backups with configurable retention. Point-in-time restore for databases. Tested restore runbooks with documented RTO/RPO targets.
Infrastructure as Code
All infrastructure defined in Terraform or Bicep, version-controlled in Git, with state management and change-managed deployments. No manual portal changes.
Zero-Trust Architecture
Never trust, always verify. Managed Identity for service authentication, conditional access policies, and micro-segmentation for sensitive workloads.
Observability & Telemetry
OpenTelemetry instrumentation, distributed tracing, and infrastructure metrics feeding into centralised Log Analytics. Full visibility across every layer.
Managed or Partnered — Your Choice
Assemblysoft can fully manage your cloud infrastructure directly on your behalf, acting as both development and infrastructure partner with clear internal separation. Alternatively, where you prefer an independent third party for security oversight, we coordinate cleanly alongside them — defined boundaries, no overlap, both directly accountable to you.
Independent Security Oversight
Security policy management, access event monitoring, and authentication controls are handled entirely outside the development team. Security events are visible to the client directly — no single party controls both the code and the keys.
Backup Management
Automated backups of application data and databases, stored in isolated storage inaccessible to the live system. Retention policies defined and enforced. Backup integrity verified through scheduled restore tests — not merely assumed.
Disaster Recovery Planning
A documented disaster recovery runbook covering infrastructure failure, data loss, and ransomware scenarios. Agreed RTO and RPO targets defined upfront. The ability to restore the full platform from a known-good state is tested — not theoretical.
Health Monitoring & Alerting
Continuous independent monitoring of system availability, performance, and security events. Alert escalation paths agreed upfront. The client and infra partner receive alerts directly — not filtered through the development team.
Client Retains Full Ownership
The client owns the cloud environment and all infrastructure. Both the development partner and the infrastructure security partner operate within it under clearly scoped contractual arrangements — client control is always paramount.
- Developer access and security administration are kept strictly separate
- No single party can access both application code and cloud security controls
- Backups are stored independently of the live environment and the development team
- Backup restoration is periodically verified — not assumed to work when needed
- Security events and access logs are visible directly to the client
- A documented DR plan exists before it is ever needed
- Infrastructure failure and data loss scenarios are planned for, not reactive
- Vendor risk is distributed — no single supplier controls the full stack
- Client retains ownership; partners are removable and replaceable independently
- Meets industry best practice for separating development from infrastructure governance
Option B — We work alongside an infra partner. If you already have an IT support company, managed service provider, or a preferred infrastructure security partner, we coordinate directly with them. If you don't, Assemblysoft can introduce a trusted infra partner from our network — we handle the handover, access boundaries, and architectural documentation so the relationship starts cleanly from day one. Either way, we ensure they have full visibility without requiring development-team involvement in ongoing security operations.
Either model delivers the same outcome: your cloud environment is properly managed, security oversight is independent of day-to-day development, and you remain in control throughout.
Compliance Automation with Vanta
Vanta continuously monitors your cloud infrastructure, code repositories, HR processes, and SaaS vendor risk against globally recognised security frameworks. Evidence is collected automatically and mapped to controls — no manual spreadsheet audits, no last-minute scrambles before an audit window.
SOC 2 Type II Certification
The de facto standard for SaaS vendors selling to enterprise customers. Vanta automates readiness tracking across all five Trust Service Criteria. Assemblysoft aligns your SDLC, access controls, and cloud architecture to SOC 2 requirements from the very first sprint — not as a retrofit.
ISO 27001 & GDPR Alignment
International and European compliance obligations covered within a single platform. Vanta maps controls across frameworks simultaneously — SOC 2, ISO 27001, and GDPR alignment without duplicating effort, documentation, or auditor time. One evidence base, multiple certifications.
Continuous Control Monitoring
Rather than point-in-time audits, Vanta monitors your security controls continuously. Gaps are surfaced in real time — not discovered months later during an audit cycle. Failing controls trigger immediate alerts, and remediation tasks are tracked directly in the platform.
Enterprise Sales Enablement
Security questionnaires from enterprise prospects answered in minutes via Vanta's Trust Centre. Compliance certification removes the single biggest technical blocker to enterprise and regulated-sector deals — transforming security posture from a blocker into a commercial differentiator.
Assemblysoft-Guided Onboarding
We prepare your codebase, cloud infrastructure configuration, and SDLC policies for Vanta monitoring before it begins — ensuring you start from a strong, well-architected baseline rather than inheriting a remediation backlog on day one of your compliance journey.
- Continuous automated evidence collection replaces manual audit preparation entirely
- Security control gaps surfaced in real time — not discovered during annual audit cycles
- SOC 2 Type II certification unlocks enterprise and regulated-sector customer segments
- SDLC practices and access controls aligned to compliance requirements from sprint one
- Vendor and third-party security risk monitored continuously, not just internal controls
- Cross-framework mapping means SOC 2, ISO 27001, and GDPR compound, not duplicate
- Assemblysoft ensures the codebase and infrastructure are compliance-ready before go-live
- Trust Centre gives prospects instant self-service visibility of your security posture
- Compliance status continuously maintained — not a once-a-year remediation sprint
- Starting from a well-architected baseline significantly accelerates time to first certification
MSA-Governed Engagements
All work governed by our Master Services Agreement. Proposals (SOWs) define scope, timeline, and fees per engagement. No ambiguity on what's included.
Transparent Billing
Time & materials billed weekly. Day rates per the published rate card. Invoices within 7 days. No retainers. No surprises. Pause anytime with 1 week's notice.
Intellectual Property
Bespoke deliverables assigned to you on full payment. Assemblysoft retains Background IP (frameworks, CI/CD templates, reusable modules) licensed royalty-free to you.
Data Protection
Assemblysoft acts as Data Processor under UK GDPR. A Data Processing Agreement is included in the MSA. We never use client data for any purpose beyond the engagement.
Termination & Transition
30 days written notice for convenience. Immediate for material breach. All paid IP assignments remain valid. Transition support is chargeable as a separate engagement.
Rate Card
Published day rates by role and seniority. Reviewed annually. All-inclusive — no hidden extras beyond the agreed day rate.
| Junior Developer / QA Tester | £300–£350 |
| UX / UI Designer | £380–£440 |
| Mid-Level Developer / DBA | £400–£460 |
| Project Manager / DevOps | £460–£520 |
| Senior Developer | £500–£550 |
| Software Architect / AI Dev | £600–£700 |
- No fixed-price bids unless expressly stated in writing
- Scope expansion requires revised SOW before commencement
- Work begins only on receipt of signed SOW and initial payment
- Infrastructure operating costs are client-borne (Azure, GitHub, CDN, etc.)
- 30% infrastructure management fee applies where Assemblysoft manages cloud environments
- Late payments accrue statutory interest under the Late Payment Act 1998
- Governed by the laws of England & Wales
- All engagements require appropriate cyber insurance from the client