In the high-stakes world of medical technology, compliance isn't optional—it's fundamental. Yet the traditional narrative pits developer speed against security rigor, creating an apparent zero-sum game. Bradley Beddoes, CTO of Macuject—a startup developing solutions to preventable blindness—challenges this dichotomy, arguing that great developer experience and strong compliance can not only coexist but reinforce one another.

"When I first started thinking about how to build a great developer experience while maintaining rigorous compliance standards, I admit to seeing them as competing priorities: speed vs. safety, or, to put it another way, developer autonomy vs. audit bureaucracy. I was wrong. What I've learned is that great developer experience and strong compliance can genuinely reinforce one another."

At Macuject, Beddoes and his team consistently achieve annual attestations for SOC 2 and HIPAA while maintaining rapid development cycles. Their secret? Treating compliance not as a series of hurdles to clear, but as a design challenge with the explicit goal of making the compliant path the easy path.

The Human Element: Explaining the 'Why'

Developers tolerate friction they understand; they resent friction that seems arbitrary. This fundamental insight guides Macuject's approach to compliance.

"We invest significant time explaining why our compliance requirements exist," Beddoes explains. "In MedTech, we can point to real breaches, real consequences, real harm to patients. When developers understand that the controls they're working within exist to protect vulnerable people, the whole thing feels different. It's not bureaucracy; it's responsibility."

This education begins during onboarding and continues through regular communication, keeping the rationale behind compliance requirements front and center. The result is a team that sees security measures not as impediments, but as essential safeguards for the patients their technology serves.

Building Quality In First

Compliance-heavy environments typically introduce gates that review, scan, and approve work. These gates provide auditors with evidence of how the company ensures security and quality during development. However, gates that slow developers down create pressure to circumvent them.

"Slow feedback loops mean developers have moved on to other work by the time they learn about issues, making fixes more expensive, time-consuming, and frustrating," Beddos notes.

Macuject's solution is to shift quality checks left—ensuring that linters, analyzers, and tests run locally in the IDE and before remote git branch pushes, not just in CI.

"A local verification process that catches an issue immediately beats a pipeline failure every time," Beddoes explains. "The developer is still in context, still thinking about that code, and can fix the problem as part of their normal flow."

While local checks can technically be bypassed, developers naturally prefer fast feedback and use these tools because they make their lives easier. By the time code reaches formal gates in CI, most issues have already been resolved, transforming these gates from blockers into confirmations.

Automating the Audit Trail

"If developers have to remember to do something for compliance, they'll resent it," Beddoes states. "The resentment isn't about the compliance requirement itself; it's about the cognitive load and the interruption to flow."

The solution? Automate relentlessly. Macuject has implemented standardized approaches for two key aspects of development:

  1. Branch naming: <JIRA-KEY>/descriptive-name-here (e.g., WA-1023/add-photos-to-user-profiles)
  2. PR templates: Standard templates across all repositories with headings and checklists for business, SOC 2, and HIPAA requirements

With these primitives in place, automation becomes possible:

# Pull Request Automation

When a new PR is opened:
- Automatically linked to Jira based on branch naming
- PR names pre-pended with Jira key
- Comment added with link back to Jira issue
- Template pre-populated with required fields
- Risk level automatically flagged (high-risk changes receive extra scrutiny)
- Jira ticket automatically moved from "In Development" to "In Review"
- Checkers, linters, and tests invoked in order
- Once passed, human review requested

After approval and merge:
- PR thread copied to Jira as a comment
- PR assigned to next release
- Jira ticket moved to "Ready for UAT"

This automation creates an audit trail while reducing cognitive load on developers. The system handles the documentation, allowing developers to focus on writing code.

Infrastructure as Code: Eliminating Drift

Environmental issues represent a classic source of frustration in software development. Configuration drift across environments creates mysterious bugs, and managing multiple regions becomes a nightmare. In a compliance context, these problems are magnified—you need to demonstrate that your production environment has the controls you've documented.

Macuject's solution: heavy investment in Infrastructure as Code (IaC). The company has built an extensive AWS CDK project in TypeScript that defines all infrastructure across Development, UAT, and Production environments in both Australia and the US.

"The choice of TypeScript for our CDK project has been particularly valuable," Beddoes notes. "Compile-time type checking catches misconfigurations before deployment (well, usually, it is AWS, ask me about war stories). You find out about problems when you run the build, not when CloudFormation fails halfway through a deployment."

AWS provides the CDK Nag tool for compliance validation, which allows CI to fail builds unless developers have implemented the right controls or documented valid exceptions.

The Duality of Impatience and Patience

Beddoes articulates a leadership philosophy that underpins his approach to compliance: "Compliance is the patience. It is the understanding that quality, security, and safety are non-negotiable and take time. Developer experience is the impatience. It is the refusal to accept that 'rigour' must equal 'slowness,' and the drive to automate friction out of existence."

This duality manifests as a practical strategy: "Use the impatience of engineering to automate the patience of compliance."

Beyond Developer Workflow

While the article focuses on developer workflow automation, Beddoes acknowledges this is just one piece of a comprehensive compliance program. Macuject also rigorously implements:

  • Security monitoring and incident response
  • Vendor management
  • Data governance
  • Security training
  • Penetration testing and vulnerability management
  • Physical and administrative safeguards

"Obtaining annual attestations for SOC 2, HIPAA, and others is no easy task and requires the involvement of the entire business to be successful," Beddoes concludes.

For teams feeling the tension between compliance and developer productivity, his advice is straightforward: "Start by asking your developers what slows them down most. I'd bet that you can solve at least some of these without compromising compliance posture. Often, the solution will strengthen both."

The ultimate goal, as Beddes sees it, is to move the conversation from "How do we pass the audit?" to "How do we design our developer experience to make compliance a feature, not a hassle?"

Source: Bradley Beddoes, CTO of Macuject. Original post available at https://bradleybeddoes.com/posts/building-developer-experience-in-medtech