Engineering studio · Leeds

A studio for businesses that need a real product, not another website.

We build production SaaS — the systems your team logs into, the systems your customers pay for, the systems a security reviewer cannot pull apart in an afternoon. Without the apparatus that makes most agency engagements feel like a tax.

Start a project Read principles

Studio engagements from £25,000Three phases — discovery · architecture · productionPlain TypeScript · Plain Postgres · Plain Next.js

What we build

Production software for businesses with real customers.

Three shapes of engagement. Different domain, same foundation. The wizards below take five minutes; if your project is a fit, the proposal lands within 48 hours.

Web app
Customer-facing web apps.
Booking platforms, client portals, marketplaces, content sites with real teeth. Auth, payments, dashboards, the lot — built so a security reviewer cannot pull it apart in an afternoon.
- Marketplaces
- Client portals
- Booking systems
- Custom dashboards
Start the web app brief
SaaS
Production SaaS, multi-tenant from day one.
The system your customers pay for. Subscriptions, billing, per-tenant data isolation, role-based access, audit trail, search — the foundation already built when the engagement begins.
- Subscriptions
- Multi-tenancy
- Billing portal
- Per-row security
Start the saas brief
AI employee
AI products and agents that do real jobs.
Not a chatbot demo. A system that categorises, summarises, routes, drafts — inside your business, with structured data, fallbacks, and observability. Where AI earns its keep.
- AI workflows
- Categorisation
- Generated copy
- Decision logic
Start the ai employee brief

Not sure which shape your project is? Tell us about it → one call, honest answer.

Full stack · No subcontracting

Brand to ops. One studio, one engagement.

Every layer of the build is handled by the people on the call. No white-labelling, no overseas subcontractor, no surprise third-party at handover.

Layer 01
Brand & frontend
Visual identity, custom UI components designed for your domain, WCAG-AA accessibility, SEO baseline. Mobile-first, responsive across every viewport.
Layer 02
Build & data
Auth, data model, payments, search, AI features, file uploads, audit. Eighteen security patterns enforced by default — the list a security review asks for, already there.
Layer 03
Deploy & host
Vercel + Supabase by default; self-host on your own infrastructure if you prefer. Your account, your domains, your keys, your backups. Plain stack, clear handover.
Layer 04
Operate
Structured logging, error reporting, uptime monitoring, automatic database backups. Optional retainer for security patches, dependency updates, and continued development after launch.

What you get

Everything that should be settled before the first commit.

What changes between projects is the part that should change. Your domain. Your customers. Your business logic. Everything else is already correct.

01
Auth and access
Sign-up, sessions, roles, organisations. Per-row security enforced at the database — not in the page that renders the list.
- Email, magic link, password reset
- Role-based permissions everywhere
- Audit trail of access
02
Data and content
A custom data model for your business and a content system your team can run without a developer.
- Editable pages, articles, FAQs
- Admin interface for staff
- Drafts, previews, revisions
03
Payments
Subscriptions, one-offs, or both — wired to a real provider. Real webhooks, real dunning, real receipts.
- Stripe, billing portal, invoices
- Failed-card retries, grace periods
- Refunds, disputes, archives
04
Search
Full-text search with relevance ranking and fuzzy matching, indexed at the database layer. Holds up under load.
- No third-party service required
- Typos do not break results
- Day-one performance budget
05
AI features
Where AI earns its keep — generated copy, imagery, categorisation. Always with a fallback. Nothing breaks if the provider is down.
- Named, scoped, measurable
- Graceful degradation, never hard
- Provider-portable by design
06
Security posture
Eighteen patterns enforced by default — auth on every action, input validation everywhere, rate limits, CSP nonces, SSRF guards.
- Holds up in a security review
- Generic error messages
- No raw database errors leaking

Full inventory: services →

How we work

Discovery, architecture, production. Three phases.

Discovery01
Document the invariants.
We document the load-bearing pieces, the failure modes, and the assumptions you have outgrown. No decks. No workshops. One scoping call, then a written brief.
Two weeks
Architecture02
Design around what holds.
We design the system around the invariants — the data model, the security boundary, the integration points. By the end you have a schema, an API surface, and a build plan.
Two weeks
Production03
Ship the system, not a demo.
We build, test, and ship. Everything in the inventory above is live by the end. The codebase is yours, on your domains, with your keys.
Eight to twelve weeks

Why us

You can prompt your way to a demo. You cannot prompt your way to a business.

✕ The traditional agency

Charges you to rebuild the foundation every project and calls the rebuild discovery. The senior engineer pitches. The junior writes the code.

Three sprints, wrong direction.

✕ AI-assisted coding

Will produce something that runs. Will also miss authorisation, rate limiting, audit trails, migrations, idempotency, and a test suite that means anything.

The demo passes. The first real customer breaks it.

Canarlo

The foundation is settled before kickoff. The people on the call are the people writing the code. Your money funds the part that is yours.

A system designed so the wrong thing cannot easily happen.

Studio principle

We treat invariants as load-bearing.

Auth on every action. Validation on every input. Per-row security enforced at the database. The patterns are named, the patterns are tested, the patterns are why a production system survives a security review and a Tuesday morning at 9 a.m.

Talk to us

One call, honest answer.

Tell us what you are trying to ship, what you have already tried, and what is in the way. If the work is a fit, we will say so on the call. If not, we will tell you who to talk to instead.

Start a project Get in touch

A studio for businesses that need a real product, not another website.

Studio engagements from £25,000Three phases — discovery · architecture · productionPlain TypeScript · Plain Postgres · Plain Next.js

Discovery, architecture, production. Three phases.

Discovery01

Document the invariants.

We document the load-bearing pieces, the failure modes, and the assumptions you have outgrown. No decks. No workshops. One scoping call, then a written brief.

Two weeks

Architecture02

Design around what holds.

We design the system around the invariants — the data model, the security boundary, the integration points. By the end you have a schema, an API surface, and a build plan.

Two weeks

Production03

Ship the system, not a demo.

We build, test, and ship. Everything in the inventory above is live by the end. The codebase is yours, on your domains, with your keys.

Eight to twelve weeks

You can prompt your way to a demo. You cannot prompt your way to a business.

✕ The traditional agency

Charges you to rebuild the foundation every project and calls the rebuild discovery. The senior engineer pitches. The junior writes the code.

Three sprints, wrong direction.

✕ AI-assisted coding

Will produce something that runs. Will also miss authorisation, rate limiting, audit trails, migrations, idempotency, and a test suite that means anything.

The demo passes. The first real customer breaks it.

Canarlo

The foundation is settled before kickoff. The people on the call are the people writing the code. Your money funds the part that is yours.

A system designed so the wrong thing cannot easily happen.

A studio for businesses that need a real product, not another website.

Production software for businesses with real customers.

Customer-facing web apps.

Production SaaS, multi-tenant from day one.

AI products and agents that do real jobs.

Brand to ops. One studio, one engagement.

Brand & frontend

Build & data

Deploy & host

Operate

Everything that should be settled before the first commit.

Auth and access

Data and content

Payments

Search

AI features

Security posture

Discovery, architecture, production. Three phases.

Document the invariants.

Design around what holds.

Ship the system, not a demo.

You can prompt your way to a demo. You cannot prompt your way to a business.

One call, honest answer.

A studio for businesses that need a real product, not another website.

Production software for businesses with real customers.

Customer-facing web apps.

Production SaaS, multi-tenant from day one.

AI products and agents that do real jobs.

Brand to ops. One studio, one engagement.

Brand & frontend

Build & data

Deploy & host

Operate

Everything that should be settled before the first commit.

Auth and access

Data and content

Payments

Search

AI features

Security posture

Discovery, architecture, production. Three phases.

Document the invariants.

Design around what holds.

Ship the system, not a demo.

You can prompt your way to a demo. You cannot prompt your way to a business.

One call, honest answer.