Software, security and privacy for New Zealand teams
Ship modern software. Know it's safe.
We build SaaS and mobile apps for NZ teams — and we review the security, privacy, and AI practices of what you've already shipped. Both pillars, one team, fixed scope, plain English.
Sound familiar?
The same firm that builds it should be willing to tell you what's wrong with it.
NOWtech runs two pillars from one team. Build ships SaaS and mobile software you actually use. Assure reads the code, the architecture, the privacy practices, and the AI integration — yours or someone else's — and writes down what to fix. The same people, the same standards, the same blunt language.
Your build partner doesn't tell you when it's leaking.
Most agencies ship features and walk away. Security, privacy, and AI safety only get attention when something has already gone wrong — and the agency that wrote the code is the wrong party to audit it.
You're shipping AI features without a clear view of the risks.
Prompts, customer data, model behaviour, prompt injection, hallucinated output going to real users. Plenty of vendors will help you ship faster. Fewer will tell you what to actually worry about.
Privacy Act 2020 is on the radar, not on the roadmap.
You know there are obligations. You're not sure how the code, the database, the third‑party tools, or the offshore contractors map to them. The fix is usually smaller than you think — but only if someone reads the system.
Pillar 1 — Build
Software that ships, runs, and is still your software in five years.
We build on a deliberate, opinionated stack — chosen for longevity, not novelty. Code is yours. Documentation is yours. The deployment pipeline is yours. We'd rather be replaced because you no longer need us than retained because you can't.
SaaS & web apps
Custom web applications and internal tools, built on a modern, well‑travelled stack — NestJS on Node, Postgres, Astro / SvelteKit / React on the frontend, deployed to Cloudflare and Google Cloud. Designed to run for years without rewrites.
- NestJS + Fastify, TypeScript, Postgres
- Astro, SvelteKit, and React frontends
- Passkey authentication out of the box
- Cloudflare Pages + GCP Cloud Run hosting
Mobile apps (Flutter)
iOS and Android from a single Flutter codebase, with the same code targeting Flutter Web when you need an authenticated browser app. BLoC architecture, repository pattern, push notifications via FCM. We've built and shipped this stack repeatedly.
- iOS + Android + Flutter Web
- BLoC + repository pattern
- FCM push, deep links, biometrics
- Offline‑first when it earns its keep
AI integration
Bringing Claude (and other LLMs) into your product without the magical thinking. Prompt design, retrieval, tool use, structured output, prompt caching, and the boring operational pieces — cost ceilings, monitoring, evaluation. Done with eyes open about what models can and can't do.
- Claude API integration & caching
- Tool use, RAG, structured output
- Cost & latency budgeting
- Eval and regression harnesses
Backend & integration work
API design, third‑party integrations, data pipelines, background jobs. The unglamorous plumbing that decides whether the rest of your product feels fast or slow. We write code other people can pick up.
- REST APIs, OpenAPI, webhooks
- BullMQ jobs, Postgres, Redis
- Odoo, Stripe, Xero, FCM, LiveKit, Sentry
- Documentation other devs can read
Pillar 2 — Assure
A second set of eyes that reads the code, not just the slide deck.
We review software you've already built — yours, your last vendor's, or an acquisition target's. Fixed‑scope, written deliverables, plain English. The point is a list of things to fix, not a 90‑page document nobody reads.
Code‑level security review
We read your codebase the way an attacker would — auth flows, session handling, input validation, secrets handling, third‑party dependencies, infrastructure config. You get a written report with each finding ranked, evidence linked, and a concrete fix proposed. Findings, not vibes.
- OWASP Top 10 coverage as a baseline
- Auth, sessions, secrets, deps, infra
- Severity‑ranked, evidence‑linked findings
- Fix proposals you can hand to a developer
Privacy review (NZ Privacy Act 2020)
How you collect, store, share, and dispose of personal information — measured against the 13 information privacy principles. We map data flows, identify weak points (offshore vendors, log retention, analytics SDKs), and write the changes that close them. GDPR alignment when you operate offshore.
- 13 IPPs mapped to your system
- Data flow diagram + retention review
- Vendor & sub‑processor audit
- Privacy notice & policy drafting
Penetration testing
Authorised, scope‑limited testing of a deployed system — web app, API, or mobile. Black‑box, grey‑box, or credentialed. You get a written report with reproducible exploits, severity ratings, and remediation guidance. Engagement letter signed before any test traffic flows.
- Web, API, and mobile targets
- Black‑box, grey‑box, or credentialed
- Reproducible PoCs, not vague claims
- Retest included after remediation
AI safety & best‑practice review
An honest read of how you're using LLMs — prompt design, data exposure, prompt injection surface, hallucination handling, evaluation, cost & rate controls. Where the risks are, what to monitor, and what to change. Practical, not academic.
- Prompt injection & data leakage surface
- Hallucination & failure‑mode handling
- Eval and regression coverage
- Cost, rate, and observability controls
How we work
A short loop that respects your time and your budget.
Five steps. Free first conversation. Written scope before any work begins. Weekly visibility during delivery. The aim isn't a beautiful project plan — it's software your team uses next quarter, or a report your team acts on next week.
Conversation
A call. We ask about the system, the team, the deadline, the budget, the worry. By the end we both know whether NOWtech is the right fit and what the next step should look like. No deck, no pitch.
Scope
A short written proposal — what we'll do, what you'll get, what it'll cost, when it'll be done. Fixed scope where it can be; clearly framed time‑and‑materials where it can't. You decide whether to proceed.
Build or review
For Build: weekly demos, code in your repo from day one, no surprises at the end. For Assure: read, test, write up — with checkpoints so we surface major findings as we go, not at the end.
Handover
Build engagements end with documentation, deployment, and a working system your team can run. Review engagements end with a written report, a walkthrough, and a remediation plan you can hand to a developer.
Follow through
Retainer support, follow‑up reviews, the next phase of build, retesting after fixes. We don't push retainers — they exist when you want them, not as a default.
Start a conversation
A 30‑minute call to map the problem. No deck, no pitch — and free.
Book itWhy us
We've built the firm to be the consultant we wished we could hire.
Senior involvement, no bait‑and‑switch.
The person who scopes the engagement is the same person delivering it. No handing the work to a junior team the day the contract is signed. We bring trusted contractors in for scale or specialist depth — so capacity isn't a constraint — but senior accountability stays with one named person from first call to handover.
Build and Assure, same team, same standards.
We bring the same bar to both pillars — we won't ship code we wouldn't sign off on in a security review, and we won't write reviews that ignore how systems actually get built. The team that finds the issues is the team that knows how to fix them.
We use what we recommend.
Passkeys, Postgres, Prisma 7, NestJS Fastify, Astro, Flutter — these are the stacks we run in production for our own products. Recommendations come from operating the stack, not from a vendor presentation.
Fixed‑scope first, T&M second.
Most engagements are fixed scope, fixed price, fixed deadline. When the work genuinely can't be scoped up front (open‑ended R&D, ongoing support), we say so and quote time‑and‑materials with a clear cap.
Honest about size.
Small jobs welcome — a one‑week security review, a single‑module integration, a Privacy Act gap analysis. We won't pad scope to justify a bigger fee. If the right answer is two days of work, that's what we quote.
NZ‑based, NZ business hours.
Auckland‑based, available across NZ. Same timezone, same Privacy Act, same practical context for what local teams actually face. Most work is remote; on‑site visits when they earn their keep.
NOWsuite — in development
Developer products in flight.
The same opinionated patterns we apply on client work, packaged so other teams can use them. Free tier, paid tier, and a studio licence for agencies.
Want a heads‑up when these land? Drop us a line and we'll add you to the launch list.
FAQ
The questions everyone asks first.
What does an engagement actually cost?
Build engagements are quoted per project after the first conversation — most SaaS or mobile builds land between $25,000 and $150,000 + GST depending on scope and integrations. Assure engagements are typically $6,000 to $30,000 + GST: a focused security or privacy review of a small system runs at the lower end; full pen test plus retest of a larger system runs at the upper end. The first conversation is always free; you'll have a written, fixed scope before any work or commitment.
How small is too small?
Nothing is too small if it's the right answer. We'll happily quote a one‑week security review, a single integration, or a Privacy Act gap analysis. We'd rather do a small job well than pad the scope of a small job into a big one.
How do you handle confidential code in security reviews?
Mutual NDA before any code is shared. We work in your environment when you prefer (your repo, your VPN, your laptop), or in an isolated environment we set up for the engagement. Findings are encrypted at rest, deleted at the end of the engagement, and never used as portfolio material without explicit written consent.
Are pen tests authorised?
Always. We require a signed engagement letter that explicitly authorises the testing, defines the scope (which assets, which test windows, which techniques), and names the responsible parties on both sides. No test traffic flows before that letter is in place.
Do you carry professional indemnity insurance?
Yes. Limits and certificate available on request before contract signing — standard for any engagement involving production systems or written professional opinions.
Can you work alongside our existing developers?
Yes. Most of our build work is collaborative — your team, your repo, your release cadence. We commit code, write PRs, and review yours. For Assure work, we coordinate findings directly with whoever is going to fix them, with you in the loop on prioritisation.
What stack do you build on?
Backend: NestJS on Node 22 with Fastify, TypeScript, Postgres 18, Prisma 7, Redis. Frontend: Astro for marketing sites, SvelteKit or React for authenticated web apps, Flutter Web when sharing code with mobile. Mobile: Flutter (iOS, Android, Web from one codebase). Auth: passkeys (WebAuthn) primary, magic‑link fallback. Integrations: Odoo, Stripe, Xero, FCM, LiveKit, Sentry. Hosting: Cloudflare Pages for static, GCP Cloud Run for APIs. We deviate when the project genuinely calls for it — but we deviate on purpose, not by accident.
Do you take on AI integration work end‑to‑end?
Yes. Prompt design, retrieval, tool use, evaluation, cost controls, and the operational pieces (logging, rate limits, fallback behaviour). We use Anthropic's Claude API as our default — it's what we run our own products on — but we'll integrate other providers when the use case warrants it.
Where are you based?
Auckland, New Zealand. Most work is remote — calls over Google Meet, async progress, code in a shared repo. We do on‑site discovery, training, or workshops when they add value, billed at cost.
Get in touch
Tell us what you're trying to ship — or what you've already shipped that worries you.
A 30‑minute call. No deck, no sales pitch — we'll ask about the system, the team, and what good would look like. By the end you'll know whether NOWtech is the right fit and what the first concrete step should be.
-
Email
-
Phone
-
Based in
Auckland · serving all of New Zealand