de la Roza Group: Fractional CTO Services
How we transitioned a healthcare SaaS startup from hospital innovation project to production-ready company with secure IP ownership and enterprise-grade engineering practices
Project Overview
Client
de la Roza Group
Industry
Healthcare SaaS
Timeline
6 Months
Service
Fractional CTO
The Challenge: de la Roza Group was spinning out Arthur App—a patient communication platform—from Orlando Health into a standalone SaaS company. They needed engineering leadership to transition IP ownership, establish security best practices for hospital customers, and prepare the product for enterprise sales and potential M&A.
The Challenge
Arthur App was a successful hospital innovation project ready to become a standalone SaaS company selling to hospital customers nationwide. However, the company faced several critical challenges that needed addressing before they could successfully market and sell to enterprise healthcare customers.
Five Critical Areas Requiring Leadership
IP Ownership & Risk Management
All critical infrastructure (AWS, GitHub, Jira, Confluence, App Store) was owned or administered by external contractors. The company needed to take full ownership of their IP and reduce dependency risk while maintaining productive partnerships.
Security & Compliance Posture
Hospital customers require rigorous security practices. Initial assessment revealed PHI stored insecurely in S3 object names, unencrypted data at rest, missing RBAC policies, and no IDS/IPS capabilities—all red flags for healthcare IT departments.
Engineering Process & Visibility
No formal sprint planning, backlog grooming, or code review processes existed. Leadership had limited visibility into development progress and technical debt. The team needed structure without bureaucratic overhead.
Technical Documentation Gap
No architecture diagrams, build procedures, deployment runbooks, or developer onboarding documentation existed. This created a significant knowledge dependency on external contractors and made future hiring difficult.
M&A Readiness
Drawing from experience with a successful healthcare SaaS exit (EASE Applications), the founders wanted to ensure their engineering roadmap and security posture would withstand future due diligence scrutiny.
Our Approach
We provided part-time Fractional CTO services over 6 months, working systematically through each challenge area while documenting processes for future handoff to a full-time engineering leader.
1. Secured IP Ownership & Infrastructure
- Transferred AWS root credentials to company-owned accounts with MFA enabled
- Migrated Jira and Confluence from contractor Atlassian instance to in-house ownership
- Established company ownership of GitHub organization with proper access controls
- Transferred Apple App Store Connect account holder role to company leadership
- Migrated Bitrise CI/CD and Sentry error tracking to company-administered accounts
2. Enhanced Security Posture
- Conducted comprehensive AppSec review identifying critical PHI exposure issues
- Fixed S3 encryption at rest and PHI storage vulnerabilities
- Established role-based access control (RBAC) policies for production PHI access
- Implemented AWS SES with dedicated IP to prevent hospital firewall blocking
- Documented graceful degradation for hospital network restrictions (Sentry, WebSocket)
- Created security roadmap addressing IDS/IPS requirements for enterprise sales
3. Established Engineering Best Practices
- Implemented sprint planning and backlog grooming processes
- Established pull request and code review requirements for all changes
- Guided multi-tenant architecture decisions for scalable customer onboarding
- Reviewed database schema to validate multi-tenancy support
- Provided ongoing code quality reviews focusing on maintainability and security
4. Created Comprehensive Documentation
- Built architecture diagrams and entity-relationship diagrams
- Documented detailed build and deployment procedures for all components
- Created developer machine setup instructions with environment configuration
- Established VPN connection procedures for secure database access
- Documented network requirements for hospital IT departments
5. Strategic Product & Technical Guidance
- Influenced MVP prioritization to increase patient adoption (simplified mode)
- Analyzed and deferred costly infrastructure (Neptune) until business need validated
- Prevented per-customer infrastructure deployment pattern in favor of multi-tenancy
- Applied lessons learned from successful healthcare SaaS exit (EASE Applications)
- Prepared engineering roadmap to withstand M&A due diligence
Technical Stack
Technologies Involved
Results
Key Outcomes
- Full company ownership of all IP and infrastructure (AWS, GitHub, tooling)
- Critical PHI security vulnerabilities identified and remediated
- Comprehensive technical documentation for future engineering hires
- Sprint planning and code review processes established with contractors
- Multi-tenant architecture validated for scalable customer onboarding
- Cost-optimized infrastructure (deferred Neptune, prevented per-customer deployment)
- Security roadmap aligned with hospital customer requirements
- Engineering maturity sufficient for M&A due diligence
- Clear handoff documentation for future full-time Head of Engineering
What Made This Successful
We balanced the urgency of taking IP ownership with maintaining productive contractor relationships. By documenting every process and decision, we ensured knowledge wouldn't be lost when transitioning to future leadership. The engagement drew on real-world experience with a successful healthcare SaaS exit, allowing us to anticipate and address issues that would arise during enterprise sales and potential acquisition.
Need Engineering Leadership?
Whether you need a Fractional CTO, security review, engineering process setup, or technical due diligence—we can help guide your product to the next level.