Ownership, handover, clinical governance, GDPR and accountability. Each answer is backed by a working system, a measured number or a documented process, and where something isn't proven yet, I say so. Full data files available on request.
Code, data, IP, accounts, infrastructure and content sit in IRP's name from day one. I work inside your accounts as an admin — never as the owner.
Product and technical delivery, the operating model, specialist coordination, and early escalation when anything is at risk — with options, not just problems.
Including me. Documentation written during the build, runbooks validated by someone who isn't me, and a hard rule before any clinical data phase.
Four guided walkthroughs, as requested on the call, including the back-end and admin systems. Live demo links available on request.
Multi-tenant legal-practice platform — role-based access, AI-assisted case analysis and document drafting. The same tenant-isolation and AI-grounding architecture the IRP knowledge assistant builds on.
The white-label, multi-tenant evolution of My Therapy — each therapist gets a branded site, booking flow, Stripe invoicing and AES-encrypted clinical notes.
Multi-tenant SaaS for contractors — quotes, invoicing and Stripe payments, with Irish VAT and RCT tax compliance.
Mobile-first, offline-capable surveying tool for renovation projects — from survey through quote to handover.
Everything sits in IRP's name from day one: GitHub organisation, hosting, database, domain, payment and email accounts. I work as an admin inside your accounts; secrets live in the platform's secret store, never with me. Documentation — setup, architecture, deployment, runbook, account register — lives in the repository and is written during the build, not at the end. Exit process: your replacement walks the system with me, deploys it themselves, verifies a backup restores, takes the open issues — then you revoke my access.
Today it's one — I won't pretend otherwise. How it changes: from week one, everything needed to replace me exists outside my head. Before the Summit, a developer who isn't me — anyone you nominate, even for one day — proves they can deploy and roll back using only the documentation. If they can't, the documentation has failed and I fix it. During the event I'm on call for the full window with a rehearsed sub-30-minute rollback that a briefed non-expert can execute.
Documentation lives in the repository beside the code and changes with it: how to run it, the architecture, how to deploy and roll back, which external accounts exist and who owns them, and a decision log recording not just what was decided but why — and what would trigger revisiting it. Every incident postmortem is kept too, so a future team inherits the platform's operational history, not just its code. IRP owns all of it.
Through an admin dashboard with a fixed lifecycle — draft → clinical review → approved → published → retired — with versions, review dates, citations and a full audit trail on every item. The AI assistant can only draw on content marked approved. Your team owns the content, your governance rules control approval; I build the system that enforces them.
The design separates stopping the wrong answer from approving the right one — so containment is fast and clinical judgement is never rushed.
They never need me to explain it from memory. Everything is visible inside the admin system: approved and retired content registries, the review calendar, exactly what the AI can cite, every flagged response and how it was resolved, and the audit logs — plus a written governance handbook.
These controls come from systems I've built, with each platform's real status shown. Software alone is not full compliance, and I won't claim it is.
| Platform | Status | Controls a GDPR auditor would recognise |
|---|---|---|
| My Therapy | Live in production | Automated retention enforcement · one-click and scheduled anonymisation that scrubs identity and clinical notes while lawfully preserving invoice records · clinical free text encrypted (AES-256-GCM) · server-enforced consent |
| StarSprout Lingo | Live in production | Evidenced parent/guardian consent (timestamp, IP, policy version) · self-service data export · deletion on account closure · granular cookie consent · MFA on sensitive actions |
| Remote Patient-Monitoring Platform | Built & load-tested, not yet live | EU data residency throughout · subject-access exports · soft-then-hard deletion · audit trails that survive anonymisation · role-based access · sub-processor register |
| Lexora | Working system, pre-launch | Tenant isolation · citation-validated AI answers · full audit logging — transferable architecture, not claimed as healthcare compliance |
Verified request → data inventory searched → legal-exception check → everything eligible deleted or anonymised → processors notified → a non-identifiable deletion record kept → completion confirmed. The CPD certificate is the one legitimate exception: accreditation may require minimal proof that training happened. That never justifies keeping the profile — we keep a minimal certificate record only, stored separately from any active account, legal basis documented, your DPO approving the policy.
You decide the legal framework; I build what implements it: confirmed legal entity, controller/processor roles, data processing agreements, privacy and cookie policies, retention periods and lawful basis per data type, a named DPO or equivalent, a breach-response owner, and a sign-off process before go-live. I will not make legal or retention decisions for you — that line protects both of us. The thread stays unbroken end to end: legal basis → data collected → system field → retention rule → access role → export/delete behaviour → audit log → processor.
No disagreement to handle — I'd build the monolith. One deployable system, one database, clean internal modules; split only if real scale ever demands it. My April load test backs this: every capacity ceiling found was configuration, not architecture. When we genuinely disagree: I argue the trade-offs in writing, recommend, and execute your decision — unless it creates a security or compliance risk, in which case I escalate rather than comply quietly. Every major decision is recorded with its reasoning.
Immediately, within 48 hours of the trend appearing. Not at the next status meeting, and not after a private rescue attempt, which is how projects die. I bring options alongside the problem: cut scope, defer features, buy instead of build, add resource, or as a last resort move the date. You make the trade-off; I implement it and record it.
Mine: day-to-day implementation, minor UI decisions, sprint planning within agreed scope. Yours: scope, budget, priorities, retention and privacy policy, clinical content rules, anything diagnostic or patient-facing, and launch itself. Specialists: security, DPO and clinical governance hold sign-off at the launch gate — launch doesn't happen on my recommendation alone.
Two. First, ownership thinking: "Design version one of a platform for a 1,500+ person international event that later becomes a membership institute with an AI assistant. The client owns everything from day one and a second developer must be able to deploy without you. What do you build, what do you buy, and what risks do you flag?"
Second, the one no portfolio can prove: "It's 09:40 on day one of the Summit and check-in is timing out for a third of attendees. Walk me through your first fifteen minutes." A strong answer checks monitoring before code, tells the organisers within minutes rather than after fixing, and prefers rolling back to debugging live.
The team works for IRP, so the contractual call is yours — made on my evidenced recommendation. My process is the same either way: evidence gathered, a private conversation, a correction plan, a short review period, then a clear recommendation to improve or replace.
A weekly written status — done, in progress, blocked, risks, decisions needed — a live sprint board you can open anytime, milestone demos, and a decision log. Incidents have their own rule: anything serious reaches you within 30 minutes with a plain-language impact statement, and every postmortem is yours to read.
Remote Patient-Monitoring Platform. I built a healthcare platform with genuinely strong data-protection controls — and built it around myself. Because it handles clinical data, it couldn't responsibly go live without someone able to operate it day to day, and that someone was only me. So I made the call not to launch it. The lesson: a working system that only its builder can run is not a finished system. Since then I've load-tested it (April 2026 — results below) and I'm placing it with a client who can operate it without me.
The real one: I haven't yet operated a platform at this scale in live production. My live platforms are smaller; the Remote Patient-Monitoring Platform never launched. I'm answering that with evidence rather than assurances — a completed load test, a go-live protocol that produces a measurable evidence pack before any launch decision, and an incident system whose recovery targets come from rehearsed, measured times. All three are summarised below.
Separately, hard boundaries I hold regardless: I don't self-certify penetration testing, GDPR legal compliance, medical-device classification or clinical governance. Those need specialists' signatures at the phases that demand them — exactly as we discussed on the call regarding hospital-grade systems.
Undramatic, if I've done my job. The handover pack — code, architecture docs, deployment guide, account register, tested backup and restore, incident history, open issues, known technical debt — exists from week one and is verified before launch, not assembled when you ask me to leave. The process ends with your team's successful deploy, an agreed support window, and my access revoked.
Three working artifacts back the claims above, summarised here. Full methodology, raw result files and the complete documents are available on request.
Key finding: every ceiling traced to configuration — connection-pool size, worker count, caching — not architecture. Capacity lifts an order of magnitude with a configuration pass, no rewrite. For the IRP platform, the same test runs against six Summit-specific scenarios, including a 1,000-concurrent event-day surge, before launch.
Every account, secret and environment variable reconciled against the registers. Nothing unexplained survives.
A real restore, timed and verified — recovery time and maximum data-loss window recorded, not assumed.
Registration spike, event-day surge to 1,000+ concurrent, stress-to-ceiling, certificate rush, admin under load, AI concurrency. Each run three times; medians reported.
Dependency audit, header scan, authenticated-route sweep, rate-limit verification, OWASP checklist with evidence per item. Independent scan included; paid penetration testing at the clinical phase.
A real access request and a real deletion — including the CPD exception path — executed end-to-end on staging, timed.
We take the platform down on purpose and time how long the alert takes to reach a phone. If it's more than a few minutes, the setup gets fixed before launch.
Detection, rollback and the full diagnose-fix-deploy loop rehearsed under the clock. These measured times become the recovery commitments.
Technical, security, data-protection and clinical sign-offs against the evidence pack. Any no-go holds the launch.
| Severity | Example | You're informed | Service restored | Root-cause fix |
|---|---|---|---|---|
| P1 — platform down | Registration or check-in failing on event day | ≤ 30 minutes, plain-language impact | Rollback, typically minutes to an hour | Same day |
| P2 — degraded | Slow pages, one feature down | Same day | Same day | 1–2 days |
| C1 — unsafe AI/content | AI cites retired guidance | ≤ 2 hours | Contained ≤ 1 hour — answer stops being served | ~24h, gated on clinical sign-off |
AI-assisted diagnosis accelerates root cause — logs, traces and the latest changes assembled into context in minutes. Guardrails are explicit: the AI proposes, a human approves, and it never deploys or holds production credentials. During the Summit: change freeze 48 hours out, on-call for the full event window, last known-good build pre-positioned.
IRP-owned accounts, documentation started, runbooks in the repo. Everything needed to replace me exists outside my head.
A developer who isn't me deploys and rolls back using only the documentation. If they can't, the documentation has failed and gets fixed.
On call throughout, rehearsed sub-30-minute rollback executable by a briefed non-expert, pre-positioned known-good build.
No clinical or sensitive data until a permanent second operator is in place. Non-negotiable — including against my own convenience.
You were clear on the call that you're looking for someone inside the team for the long haul, not a consultant. I take that seriously — seriously enough that I want it defined properly before it's promised: role, compensation, equity and terms. A ten-year ambition deserves a real foundation, and that's a conversation I'm ready to have.
What I can say now: I'm ready to lead this build, and the moment terms are agreed, work starts. Discovery first, then the Summit brief turned into a blueprint and the platform foundations. I work remotely as standard and travel where the work physically needs me, the Summit itself included. October doesn't move, so the sooner the structure is settled, the more build weeks we keep.
Proposed next step, as raised on the call: a defined discovery phase with a concrete output — scope, team structure, timeline and budget both sides can commit to.