arxfuture · security-first by default

Toronto web design, web apps, and cybersecurity help

We build the web — and keep you safe on it. Websites and web applications for Toronto and the Greater Toronto Area. Practical IT and privacy help for the people who use them.

arxfuture

For businesses

Websites and web applications

For small businesses across Toronto and the Greater Toronto Area that need to be found, and to be trusted once they are.

Website design for Toronto businesses

A fast, modern, accessible website that makes a small business look as serious as it is — and that Google can actually read.

Most small-business websites are slow, built on a pile of plugins, and quietly leaking data to a dozen third parties. Yours does not have to be. I build sites that load in under a second, work on a five-year-old phone, and are readable by a search engine without executing a line of JavaScript.

That last part matters more than it used to. A page whose content only appears after the browser runs a script is invisible to most AI assistants, and slow to be indexed by Google. Every site I build ships its words in the HTML, where a crawler can see them on the first pass.

The work starts with a conversation about who you are trying to reach and what you want them to do. Then structure, then copy, then design — in that order, because a beautiful page that says nothing converts nobody. You get a site you can update, hosting that does not surprise you with a bill, and no dependency on me to keep it running.

What you get

  • A site that loads fast on a phone, on real data
  • Content in the HTML, readable without JavaScript
  • Search-engine and social-sharing metadata done properly
  • Accessible markup — screen readers, keyboard, contrast
  • Hosting and deployment set up, and explained to you

Web application design and development

Custom web applications built the way production software should be: typed, tested, threat-modelled, and still safe to change a year from now.

When an off-the-shelf tool nearly fits but not quite, the gap usually gets filled with spreadsheets and manual work. A custom web application closes it — a booking system, an internal dashboard, a customer portal, a workflow that only your business has.

I build these the way I build my own products. TypeScript in strict mode, so a whole category of bug never reaches you. Every input validated on the server, because everything from a browser is untrusted. Object-level authorization on every query, so one customer can never read another's data. Automated tests and continuous integration, so a change on a Friday does not become a phone call on a Sunday.

Security is decided at design time. Before code, there is a threat model: what an attacker would want, where they would try, and what stops them. That work is boring, unglamorous, and the reason the applications I ship do not end up in a breach notification. You can see exactly what that looks like — GoRich, below, is built to OWASP ASVS Level 2 and its threat model is public.

What you get

  • A threat model, written down, before any code
  • TypeScript end to end, in strict mode
  • Server-side validation and per-user authorization on every query
  • Automated tests and a CI pipeline that gates every deploy
  • Documentation you can hand to the next engineer

Have something in mind? Email me about your project — the first conversation is free and ends with a written scope and a fixed price.


For individuals

Personal IT, security and privacy

In-person help across Toronto and the Greater Toronto Area, in plain language, with no jargon and no upsell.

Personal IT services

Practical help with the computer, the router, the backups, and the thing that stopped working — explained in plain language.

Technology gets sold to people and then abandoned by the people who sold it. When the laptop slows to a crawl, the printer stops talking to the network, or the photos from ten years ago are somewhere and nowhere, there is often no one obvious to ask.

I do that work for people in Toronto and the GTA: setting up a new machine properly the first time, untangling a home network, getting backups running so that a dead drive is an inconvenience rather than a catastrophe, and advising on what hardware is actually worth buying — which is frequently less than you were about to spend.

No jargon, no condescension, no upsell. If the honest answer is that your five-year-old laptop needs sixty dollars of memory rather than a replacement, that is the answer you will get. You will also understand what was done and why, because the goal is for you to need me less over time, not more.

What you get

  • New devices set up properly, once, rather than repeatedly
  • Backups that actually run and that you have tested
  • A home network that works, in plain language
  • Honest hardware advice, including "do not buy this"

Cybersecurity and privacy help

Everyday security hygiene that sticks: password managers, two-factor authentication, device hardening, and cutting down who gets to watch you.

Almost nobody is targeted personally. Almost everybody is caught in something automated — a password reused on a site that got breached, an account with no second factor, a phone that backs up everything to somewhere you never chose. The fixes are well understood and unglamorous, and most people never get shown them.

I sit down with you and put them in place. A password manager, set up and actually used. Two-factor authentication on the accounts that matter, with recovery codes stored somewhere you will find them. Devices configured so a stolen laptop is a lost laptop rather than a lost identity. And a clear-eyed look at which apps and services are monetising your data, with realistic alternatives where they exist.

The aim is not paranoia; it is proportion. You should be spending your attention on the handful of things that account for most of the risk, and ignoring the rest with a clear conscience. I will tell you which is which, and I will not pretend that any of it makes you unhackable — nothing does.

What you get

  • A password manager, set up and migrated to
  • Two-factor authentication where it counts, with recovery codes
  • Devices and accounts hardened against the common attacks
  • A privacy review: who is collecting what, and what to do about it

Stuck with something? Email me and describe the problem — if it is a five-minute fix, I will just tell you how to do it.

Work

Software we build and run ourselves. The best evidence of how we would build yours.

GoRich

A security-first personal finance app. Track expenses and income, set budgets that warn you, automate recurring subscriptions, and see your real savings rate — with no bank connection, no ads, and nothing sold to anyone.

  • Threat-modelled before a line of code was written
  • Built and tested against OWASP Top 10 and ASVS Level 2
  • Two-factor authentication, with re-authentication for sensitive actions
  • Rotating sessions with stolen-token detection
  • Prerendered to static HTML — the marketing page ships zero JavaScript
See GoRich, our security-first finance app →

This month

$2,184.00

42% savings rate

Income68%
Expenses39%
Invested22%

Lokali

In development

A platform for finding local trades and services on a map. Small businesses — carpet cleaners, car detailers, and the like — create a profile, and nearby customers find them and get in touch directly, without an algorithm taking a cut of the introduction.

  • Map-first discovery of nearby small businesses
  • Business profiles owned by the businesses themselves
  • Direct contact between customer and trade — no middleman fee
  • Currently in development

Security isn't a feature.

It's the starting point. Every project begins with a threat model, and ends with something you can trust.

Secure by design

Security is decided at design time, not bolted on. Threat modelling comes before code.

Built to last

Typed, tested, and documented. Software you can still change safely a year from now.

Personal service

You talk to the person who builds it. No handoffs, no account managers.

Questions people actually ask

Do you work with businesses outside Toronto?
Website and web application work is done remotely, so location is rarely a constraint — but I am based in Toronto and most clients are in the GTA, which means we can meet in person when that is genuinely useful. Personal IT help is limited to Toronto and the GTA, since it usually means sitting down with your machine.
What does a website cost?
It depends entirely on scope, and anyone quoting a number before understanding your business is guessing. A simple brochure site for a small business is a different project from a booking system with customer accounts. The first conversation is free and ends with a written scope and a fixed price, so you know what you are committing to before you commit.
Who owns the code and the site when we are finished?
You do. You get the source code, the accounts, and the deployment set up in your name. The intent is that you are never locked in — if you want to take the work elsewhere, or run it yourself, nothing stops you.
What makes this different from a website builder?
A builder gives you a template, a monthly fee, a page that loads slowly, and a stack of third-party trackers you did not choose. It is a reasonable option for some businesses. What you cannot get from one is content that search engines and AI assistants can read without executing JavaScript, a page that loads in under a second, or a custom application that does exactly what your business needs.
Why do you talk about security so much?
Because it is decided early and cannot be retrofitted cheaply. A web application that never had a threat model has authorization holes in it, and finding them after launch costs far more than designing them out. It is also the part of the work that clients cannot evaluate themselves, which is exactly why it gets skipped by people who are cutting corners.
I am not a business. Can you still help me?
Yes — that is what the personal IT and privacy work is for. Setting up a new laptop, getting backups running, putting a password manager and two-factor authentication in place, and working out which apps are quietly monetising you. No jargon, and no upsell.

Get in touch

Have a project in mind, or want help securing your digital life? Send an email — you'll hear back from the person who does the work. Serving Toronto and the Greater Toronto Area.

contact@arxfuture.com