Custom software for those who can't afford to get security wrong.
We develop custom software for companies in contexts where security, compliance and reliability aren't optional. Security-by-design, privacy-by-design, structured audit logs, granular access control. Your DPO will thank you.
What we do, concretely, in custom software for regulated industries.
-
NIS2-compliant software
Applications designed to fit a NIS2 compliance program: structured audit trail, MFA, encryption at-rest and in-transit, incident monitoring, vulnerability management.
-
AgID-compliant software for the Italian Public Administration
Applications that respect AgID guidelines for design, accessibility (WCAG 2.1 AA + EN 301 549), interoperability via standard APIs, SPID/CIE/PagoPA integration.
-
Healthcare applications, GDPR-by-design
Software for clinics, polyclinics, and medical practices with patient data managed per GDPR article 9. Encryption, access profiling, immutable logs, separation of identifying and clinical data.
-
Enterprise systems with structured audit logs
Every action tracked in an immutable, exportable, queryable way for internal or regulatory audits. Ready for inspections by the Italian Garante, AgID, or third-party auditors.
-
Applications with granular access control
Custom RBAC (role-based) or ABAC (attribute-based), with role segregation for compliance. Multi-level approvals, just-in-time access, automatic credential rotation.
-
DORA-compatible fintech software
Applications designed to fit a DORA program for the financial sector: business continuity, incident management, third-party risk, ICT risk management framework.
How we work, specifically.
-
01 REQUIREMENTSWe map applicable regulatory requirements (NIS2, GDPR, AgID, DORA, AI Act, ISO 27001) and translate them into technical specifications.
-
02 THREAT MODELSTRIDE analysis, attack surface identification and mitigations. Design decisions made in full awareness of risks.
-
03 DESIGNSecure by-design architecture, choice of appropriate stack and tooling. All documentation versioned, ready for audit.
-
04 BUILDDevelopment with secure SDLC, mandatory code review, automated SAST and DAST, continuous dependency scanning.
-
05 AUDITPre-release penetration testing, compliance validation with external auditors when required, evidence kit for inspections.
Specific solutions for custom software for regulated industries.
-
NIS2-compliant software
Technical controls required by NIS2 implemented in the software.
-
GDPR-by-design software
Privacy in architectural decisions, not as a feature bolted on later.
-
AgID-compliant software for the Italian PA
AgID guidelines, accessibility, interoperability, SPID/CIE/PagoPA.
-
ISO 27001-compatible software
For those who are ISO 27001 certified or want to get there.
-
Healthcare GDPR software
Clinics, polyclinics, medical practices handling sensitive health data.
-
DORA-compliant fintech software
Operational resilience, incident management, third-party risk for finance.
-
Energy & utilities NIS2 software
Energy sector within the extended 2026 NIS2 perimeter.
Where this approach works best.
-
Healthcare
GDPR article 9 on health data, NIS2 for facilities above threshold.
-
Manufacturing
NIS2 supply chain, OT security, MES integration with compliance.
-
Finance
DORA, MiFID II, EBA Guidelines, strict constraints on ICT risk.
-
Public Administration
AgID, Digital Administration Code, mandatory accessibility.
Frequently asked questions.
What does security-by-design software mean?
It means integrating security into architectural decisions from day one, not bolting it on at the end of the project. Concretely: threat modeling before code, encryption at-rest and in-transit by default, principle of least privilege in permissions, structured audit log for every sensitive action, MFA on all privileged accesses. Building this way is far cheaper than retrofitting security afterwards.
Do you build NIS2-compliant software?
Yes. We build applications with the technical controls required by NIS2: incident management, encryption, MFA, audit log, continuous monitoring, business continuity. Important: your organization's NIS2 compliance also requires organizational policies, governance and processes, which remain your responsibility. The software we deliver is one piece, not the entire compliance program.
Do you also handle the client's overall compliance?
No. We build compliant software. Overall compliance (legal, organizational, procedural) stays with your DPO, CISO, or compliance consultant. We work well alongside these roles: we deliver technical evidence, exportable audit logs, security documentation, support for third-party audits. But we don't replace specialist compliance consultancy.
How do you audit software that you have developed?
We provide an audit kit with: complete architectural documentation, up-to-date threat model, exportable structured logs, evidence of security tests performed (SAST, DAST, penetration test), code review reports, access policies. We directly support third-party auditors during on-site reviews. All documentation is versioned and kept in sync with the code.
What changes with the AI Act for the software you develop?
The AI Act introduces technical requirements for software that uses AI in "high-risk" ways (e.g. HR decisions, credit scoring, biometric applications). For these cases we implement user transparency, decision logging, bias assessment, human oversight, robustness testing. For software without AI or with "minimal-risk" use, the impact is nil. We assess the risk classification during requirements.
Do you work with the public sector?
Yes. We build AgID-compliant software for the Italian PA: design guidelines, accessibility WCAG 2.1 AA + EN 301 549, interoperability via standard APIs, SPID/CIE/PagoPA integration. We can be selected via MePA, direct assignment, or open tenders. The dedicated /pubblica-amministrazione/ page contains the operational details.
Got a case to tell us about? Let's begin.
A real conversation with the people who will build the software. No automated quotes, no sales bots.