A seed-stage digital therapeutics company used Cursor and Claude to build a patient-facing CBT companion app in under three weeks. The demo impressed investors and early clinician partners, but the codebase had no auth beyond a hardcoded API key, patient session data was stored in an unencrypted SQLite file on a single Cloud Run instance, and there were zero tests. Their compliance counsel told them they couldn't onboard a single real patient until the system was HIPAA-ready.
Ran a two-day production-readiness assessment, then executed the full vibe-to-prod playbook. Stood up a data platform first: Cloud SQL (PostgreSQL) with encryption at rest, a BigQuery warehouse for analytics, and event-driven ingestion pipelines so the application never touched the warehouse directly. Then hardened the app layer — added Firebase Auth with RBAC, migrated all PHI into properly scoped database schemas with audit logging, implemented row-level security, and wrote integration tests covering every patient data path. Deployed behind Cloud Armor with WAF rules, set up structured logging to Cloud Logging, and created runbooks for the two-person engineering team.
Went from a demo that couldn't legally touch patient data to a HIPAA-compliant, BAA-covered production system in six weeks. The company onboarded its first clinical pilot cohort on schedule, and the data platform we built became the foundation for their Series A analytics story.
Have a similar challenge? Let's talk about what we can build for you.
Book a 20-Min Intro Call