What software services does Highland Code offer?

Highland Code builds custom web apps, mobile apps, EPOS systems, e-commerce and takeaway ordering platforms, and cloud infrastructure for businesses across the UK and beyond.

Where is Highland Code based?

Highland Code is based in Glasgow, Scotland, and works with clients across the UK and internationally.

Do you build custom EPOS systems for restaurants and hospitality?

Yes. Our EPOS system is built specifically for hospitality, retail, and wholesale businesses. It supports any card machine, kitchen display systems, inventory management, and staff management with no locked hardware or payment provider lock-in.

Can you build a custom e-commerce or takeaway ordering platform?

Yes. Highland Code Commerce is our bespoke e-commerce and takeaway ordering platform, built for restaurants, retailers, and food businesses. No monthly fees, no commission, and no lock-in.

How much does custom software development cost?

Project costs vary by scope and complexity. We provide detailed quotes after a free discovery conversation. Get in touch at hello@highlandcode.com to discuss your project.

Do you work with businesses outside Glasgow and Scotland?

Yes. While we are based in Glasgow, Scotland, we work with clients across the UK and internationally. All our products and services are available to businesses anywhere.

← All Case Studies

Enterprise SaaS

CertifyClouds

Never let a secret expire again.

An Azure secret lifecycle automation platform that discovers, monitors, rotates, and synchronises secrets across cloud environments. Self-hosted inside the customer's own Azure tenant with zero-knowledge architecture where secrets never leave their network.

Visit CertifyClouds

The Brief

73% of cloud outages are caused by expired credentials.

Security teams managing Azure infrastructure spend hours clicking through the Azure Portal to find expiring secrets. When they find one, rotating it takes 15-30 minutes of manual coordination. You must update the App Registration, find every resource that references it, update each one, verify nothing broke. One missed dependency and you've caused an outage.

CertifyClouds needed to automate the entire lifecycle: discover all secrets across subscriptions in seconds, score them for compliance risk, rotate them safely with blast radius analysis, and optionally sync them to AWS or GCP for disaster recovery. And it all had to run inside the customer's own infrastructure with no SaaS data exfiltration concerns.

The Challenge

Connecting secrets to the resources that use them.

The hard part isn't finding secrets in Key Vault. It's knowing which Azure resources depend on each secret. An App Registration secret might be referenced by an App Service connection string, a Function App environment variable, an API Management policy, and a Logic App connector. All use different reference formats.

If you rotate the secret without updating every dependent resource, you cause exactly the outage you were trying to prevent. We needed a dependency discovery engine that could scan 11+ Azure resource types and build a complete blast radius graph before any rotation happens.

What We Built

Discovery, rotation, compliance, sync.

Asset Discovery

Scans all Key Vaults across Azure subscriptions in 30 seconds. Finds secrets, certificates, and keys with expiry tracking. Delta detection highlights what changed since the last scan.

Dependency Mapping

Scans 11+ Azure resource types (App Services, Functions, SQL, Container Apps, Logic Apps, API Management, AKS, and more) to build a dependency graph. Shows exactly which resources break if a secret expires.

Intelligent Secret Matching

Automatically correlates App Registration credentials to their corresponding Key Vault secrets using multiple matching signals and confidence scoring. No manual mapping required.

One-Click Rotation

Rotates App Registration secrets and certificates end-to-end. Creates the new credential, updates Key Vault, updates all dependent resources, and removes the old credential. Real-time progress tracking throughout.

Compliance Scoring

Rule-based security assessment across all discovered assets. Scores secrets on expiry proximity, rotation age, and configuration best practices. Audit logging for SOC 2, ISO 27001, PCI-DSS, and HIPAA.

Multi-Cloud Sync

Syncs secrets from Azure Key Vault to AWS (Secrets Manager, Parameter Store, ACM) and GCP (Secret Manager, Certificate Manager). Scheduled sync with drift detection for disaster recovery.

Alert Rules

Configurable alerts via email and webhooks for expiring secrets, failed rotations, compliance score drops, and sync drift. Scheduled notifications before expiry deadlines.

Blast Radius Analysis

Before any rotation, shows the complete dependency graph visually. Every resource that references the secret is visible, so you know the exact impact before clicking rotate.

Self-Hosted Deployment

Ships as a container deployed to the customer's own Azure infrastructure. Managed Identity authentication. No credentials stored. Database in their subscription. Zero data exfiltration.

Engineering Decisions

Why we built it this way.

Zero-knowledge by architecture, not policy

Enterprise security teams won't trust a SaaS that touches their secrets. Instead of asking customers to trust us, we removed the trust requirement entirely. CertifyClouds deploys inside the customer's own Azure subscription. It authenticates via Managed Identity with no stored credentials. The database is in their subscription. Secret values never leave their network. We literally can't see their secrets, by design.

Intelligent credential correlation

Connecting a Key Vault secret to the App Registration credential it stores is non-deterministic. There's no standard naming convention across organisations. We built a matching engine that uses multiple independent signals to correlate credentials with high confidence, even when naming is inconsistent. No manual mapping, no spreadsheets.

Built for scale and resilience

Discovery scans across dozens of Key Vaults and hundreds of resources run concurrently. The backend is fully async and non-blocking, so large estates complete in seconds rather than minutes. Cloud API calls are wrapped with circuit breakers and retry logic so the system degrades gracefully when provider APIs hit rate limits or go down.

Self-hosted, not SaaS

CertifyClouds ships as a container that customers deploy to their own Azure subscription. Managed Identity handles authentication. The database lives in their infrastructure. No data leaves their network, ever. This means no lengthy procurement reviews, no third-party risk assessments, and no security team pushback.

The Result

Hours of manual work, reduced to seconds.

30s

Full discovery scan

1 click

Secret rotation

11+

Azure resource types scanned

Cloud providers supported

CertifyClouds is live at certifyclouds.com, serving mid-market Azure organisations with compliance requirements. What used to take 2-4 hours of clicking through the Azure Portal now takes 30 seconds. What used to take 15-30 minutes of manual credential rotation now takes one click with full blast radius visibility.

Got a similar problem?

If you need cloud automation, Azure integration, or enterprise SaaS with self-hosted deployment, we build exactly this kind of thing.

Get in Touch View More Work

Next case study: Kofi Kade →