Skip to content
Villex Web VILLEX WEB Fast. Owned. Found.
Trust Center

How we earn the right to build your website

Trust should not require taking our word for it. This page sets out the standards every Villex Web build is held to: who owns what, how the sites are secured, what happens to visitor data, and what you can expect from the process and the invoice. Everything described here is practiced on this very site.

The ownership promise

Your site is yours. Full stop.

Much of the web industry runs on quiet lock-in: sites you rent monthly, code the vendor keeps, and accounts registered in someone else's name so leaving hurts. We refuse that model. When a Villex Web build launches, the code and the content are yours outright, with full admin access to every account: domain, hosting, analytics, and forms.

The optional Care Plan is a service, not a lease. Cancel it any time and you keep the site, the code, and every account. There is no scenario in which we hold your website hostage, and we put that in writing in your project agreement.

What ownership means here
You hold the code and all content, with full admin
Domain and hosting accounts registered to you
No proprietary platform your site cannot leave
Care Plan is cancel-any-time; you keep the site
Handover documentation so any developer can take over
Ownership terms written into the project agreement
Security posture

Secure by architecture, not by patching

Most small-business website breaches come through the software stack: an outdated plugin, a database exposed to the internet, an admin login waiting to be guessed. Our builds remove those doors instead of guarding them. Every site ships as static pages: no database, no server-side code executing per visit, and no plugin ecosystem to keep patched. That is a structurally smaller attack surface, not a promise to stay on top of updates.

On top of the architecture, every build ships a strict set of security headers. This site runs all of the following right now, and client builds get the same treatment.

Header What it protects against
Content-Security-Policy Scripts can only load from our own domain and our analytics provider. Injected or third-party scripts are refused by the browser.
Strict-Transport-Security Browsers are told to only ever connect over encrypted HTTPS, with preload.
X-Frame-Options and frame-ancestors The site cannot be embedded in a hostile frame, which blocks clickjacking.
X-Content-Type-Options Browsers cannot be tricked into running a file as a different type.
Cross-Origin-Opener-Policy and Resource-Policy The site is isolated from cross-origin windows and its assets from cross-origin reads.
Referrer-Policy and Permissions-Policy Visitor navigation data is kept minimal, and camera, microphone, and location access are switched off.
Privacy

No tracking cookies. No cookie banner needed.

This site measures traffic with cookieless analytics: aggregate page counts with no cookies set and no individual visitor profiles built. Because no tracking cookies exist, there is no consent banner interrupting your visit, and nothing following you around the web afterward.

Fonts are self-hosted on our own domain, so font requests never send visitor data to a third-party font service. Contact and audit forms send your details to our inbox so we can reply, and that is the whole journey: we do not sell, rent, or share visitor data. The full policy is on the privacy page.

The privacy defaults
Cookieless, aggregate-only analytics
No advertising or cross-site tracking pixels
No cookie consent banner, because none is required
Fonts served from our own domain
Form submissions go to our inbox, nowhere else
Visitor data is never sold or shared
Accessibility commitment

Built for every visitor

We build to the WCAG AA standard as the target on every project. In practice that means semantic HTML a screen reader can navigate, a skip-to-content link and full keyboard access, visible focus states, and color contrast checked against the AA thresholds.

Motion is treated as an enhancement, never a requirement. Every animation on this site checks your reduced-motion system setting and switches itself off if you have asked for less movement, and an automated check verifies that behavior on every build. Details and our contact route for accessibility issues are on the accessibility page.

What that covers
WCAG AA as the working target on every build
Keyboard navigable, with a skip-to-content link
Semantic landmarks and labels for screen readers
Color contrast held to AA thresholds
Reduced-motion settings respected by every animation
An automated motion-safety check on every build
The launch process

Nothing goes live on a hunch

A launch is a series of gates, not a button press. Each stage below has to pass before the next one starts, and the automated gates are wired into the build itself, so a page that fails the standard cannot ship by accident.

01

Build on the Engine

The site is built as static pages on the Villex Web Engine, with performance and accessibility decisions made from the first commit, not bolted on at the end.

02

Automated gates

Every build runs automated checks before it can ship: a performance budget gate that fails the build if any page ships an oversized image, and a motion-safety gate that verifies animations respect reduced-motion settings.

03

Draft deploy and review

Changes go out as a private draft first. We review the draft page by page before it is allowed to replace anything live.

04

Verify, then publish

Only after the gates are green and the draft passes visual review does the deploy go live, and the live site is checked again after publish.

Payment and project expectations

The price is published. The date is written down.

Our pricing tiers are public on the pricing page, and your exact fixed price is agreed in writing before any work starts, typically a deposit to begin and the balance at launch, set out in the project agreement. There are no hourly surprises and no invoices you did not expect.

Your launch date is committed in writing too. If we miss it for reasons on our side, you receive a credit against your fee, as set out in your agreement. Scope changes are priced and approved by you in writing before they happen, never discovered on an invoice.

What you can hold us to
Published pricing tiers, in the open
A fixed price agreed in writing before work begins
Deposit and balance structure set out up front
A written launch-date commitment, with a credit if we miss it
Scope changes approved by you in writing first
No surprise invoices, ever
Care plan standards

Watched around the clock, not checked when convenient

Sites on the Care Plan are monitored by automated health checks that run around the clock, verifying the site is reachable, loading within our performance budget, and free of the slow drift that creeps into websites over time. When a check fails, we know before you do, and usually before your customers do.

The same plan covers hosting, security, software and content updates, monthly Google Business Profile activity, and review management. And because ownership comes first, the Care Plan stays cancel-any-time: stop whenever you like and the site remains fully yours.

The monitoring standard
Automated uptime checks running 24/7
Load-time checks against a written performance budget
Alerts on drift, not just outages
Security headers and software kept current
Monthly reporting you can actually read
Cancel any time and keep the site

Hold us to all of it.

Ask about any standard on this page before you hire us. The answers do not change after the contract is signed.

Call now Get free audit