How we earn the right to build your website
Trust should not require taking our word for it. This page sets out the standards every Villex Web build is held to: who owns what, how the sites are secured, what happens to visitor data, and what you can expect from the process and the invoice. Everything described here is practiced on this very site.
You own it outright
Code, content, and accounts are yours with full admin. No lease, no lock-in, no holding your site hostage.
Security by architecture
Static pages, strict security headers, and no plugin attack surface. Less to hack because there is less running.
Privacy by default
Cookieless analytics and self-hosted fonts. No tracking cookies, so no cookie banner is needed.
Accessible to everyone
WCAG AA is the target on every build: keyboard navigable, screen-reader friendly, reduced motion respected.
A gated launch process
Automated quality gates that can fail a build, a private draft review, and verification before anything goes live.
No surprise invoices
Published pricing, a fixed price in writing, and a launch date we commit to before work begins.
Your site is yours. Full stop.
Much of the web industry runs on quiet lock-in: sites you rent monthly, code the vendor keeps, and accounts registered in someone else's name so leaving hurts. We refuse that model. When a Villex Web build launches, the code and the content are yours outright, with full admin access to every account: domain, hosting, analytics, and forms.
The optional Care Plan is a service, not a lease. Cancel it any time and you keep the site, the code, and every account. There is no scenario in which we hold your website hostage, and we put that in writing in your project agreement.
Secure by architecture, not by patching
Most small-business website breaches come through the software stack: an outdated plugin, a database exposed to the internet, an admin login waiting to be guessed. Our builds remove those doors instead of guarding them. Every site ships as static pages: no database, no server-side code executing per visit, and no plugin ecosystem to keep patched. That is a structurally smaller attack surface, not a promise to stay on top of updates.
On top of the architecture, every build ships a strict set of security headers. This site runs all of the following right now, and client builds get the same treatment.
| Header | What it protects against |
|---|---|
| Content-Security-Policy | Scripts can only load from our own domain and our analytics provider. Injected or third-party scripts are refused by the browser. |
| Strict-Transport-Security | Browsers are told to only ever connect over encrypted HTTPS, with preload. |
| X-Frame-Options and frame-ancestors | The site cannot be embedded in a hostile frame, which blocks clickjacking. |
| X-Content-Type-Options | Browsers cannot be tricked into running a file as a different type. |
| Cross-Origin-Opener-Policy and Resource-Policy | The site is isolated from cross-origin windows and its assets from cross-origin reads. |
| Referrer-Policy and Permissions-Policy | Visitor navigation data is kept minimal, and camera, microphone, and location access are switched off. |
No tracking cookies. No cookie banner needed.
This site measures traffic with cookieless analytics: aggregate page counts with no cookies set and no individual visitor profiles built. Because no tracking cookies exist, there is no consent banner interrupting your visit, and nothing following you around the web afterward.
Fonts are self-hosted on our own domain, so font requests never send visitor data to a third-party font service. Contact and audit forms send your details to our inbox so we can reply, and that is the whole journey: we do not sell, rent, or share visitor data. The full policy is on the privacy page.
Built for every visitor
We build to the WCAG AA standard as the target on every project. In practice that means semantic HTML a screen reader can navigate, a skip-to-content link and full keyboard access, visible focus states, and color contrast checked against the AA thresholds.
Motion is treated as an enhancement, never a requirement. Every animation on this site checks your reduced-motion system setting and switches itself off if you have asked for less movement, and an automated check verifies that behavior on every build. Details and our contact route for accessibility issues are on the accessibility page.
Nothing goes live on a hunch
A launch is a series of gates, not a button press. Each stage below has to pass before the next one starts, and the automated gates are wired into the build itself, so a page that fails the standard cannot ship by accident.
Build on the Engine
The site is built as static pages on the Villex Web Engine, with performance and accessibility decisions made from the first commit, not bolted on at the end.
Automated gates
Every build runs automated checks before it can ship: a performance budget gate that fails the build if any page ships an oversized image, and a motion-safety gate that verifies animations respect reduced-motion settings.
Draft deploy and review
Changes go out as a private draft first. We review the draft page by page before it is allowed to replace anything live.
Verify, then publish
Only after the gates are green and the draft passes visual review does the deploy go live, and the live site is checked again after publish.
The price is published. The date is written down.
Our pricing tiers are public on the pricing page, and your exact fixed price is agreed in writing before any work starts, typically a deposit to begin and the balance at launch, set out in the project agreement. There are no hourly surprises and no invoices you did not expect.
Your launch date is committed in writing too. If we miss it for reasons on our side, you receive a credit against your fee, as set out in your agreement. Scope changes are priced and approved by you in writing before they happen, never discovered on an invoice.
Watched around the clock, not checked when convenient
Sites on the Care Plan are monitored by automated health checks that run around the clock, verifying the site is reachable, loading within our performance budget, and free of the slow drift that creeps into websites over time. When a check fails, we know before you do, and usually before your customers do.
The same plan covers hosting, security, software and content updates, monthly Google Business Profile activity, and review management. And because ownership comes first, the Care Plan stays cancel-any-time: stop whenever you like and the site remains fully yours.
Hold us to all of it.
Ask about any standard on this page before you hire us. The answers do not change after the contract is signed.