01 Scope
Define and grant access.
We define the audit scope and you grant read-only access to the codebase, staging environment, and any relevant analytics or monitoring data. No write access needed.
Ecommerce engineering · Audits & strategy
Audits & strategy consulting.
Fixed-scope, fixed-price reviews of Shopify and Adobe Commerce stores. Code, performance, security, accessibility, delivered as a written report with prioritized findings, not a slide deck.
In short
Before investing in a build or migration, it helps to know exactly what you're working with. Salt & Scale offers structured technical audits of Shopify and Adobe Commerce stores: code quality, performance against Core Web Vitals, security posture, accessibility conformance, and integration reliability. Audit deliverables are written reports with prioritized findings and clear recommendations, not slide decks full of theory. Strategy consulting covers platform migration planning, stack evaluation, and technical roadmap development for brands making significant platform decisions. Every audit and strategy engagement is a fixed-scope, fixed-price engagement with a clear written deliverable, so you know what you're getting before you sign.
Scope of work
What's included.
- 01
Code reviews and architecture audits
Structured review of Shopify theme, Adobe Commerce modules, or custom application code: quality, maintainability, security, and performance findings with severity ratings.
- 02
Performance audits
Core Web Vitals analysis (LCP, INP, CLS) in both lab and field data, root-cause identification, and a prioritized remediation plan ordered by impact-to-effort ratio.
- 03
Security reviews
Surface review of exposed credentials, CSP headers, third-party script risks, API key handling, and known vulnerability patterns in Shopify and Adobe Commerce codebases.
- 04
Accessibility conformance review
WCAG 2.2 AA automated and manual review (keyboard navigation, screen-reader semantics, color contrast, form accessibility, and focus management) with a findings log and fix guide.
- 05
Platform migration planning
Data mapping for catalog, customers, and orders; SEO redirect strategy; risk register; timeline estimate; and vendor evaluation framework for the build phase.
- 06
Executive-ready reporting
Written reports designed to be shared with non-technical stakeholders. Findings translated to business risk, recommendations tied to ROI, and a clear ask for what needs to happen next.
The process
Scope. Review. Deliver.
02 Review
Tools paired with judgment.
We work through the defined scope systematically: automated tooling (axe-core, Lighthouse, OWASP ZAP scans) paired with manual review. No findings sourced from guesswork.
03 Deliver
Written report, debrief call.
Findings delivered as a written report with severity ratings, prioritized recommendations, and a 30-minute debrief call to walk through the findings and answer questions.
What we aim for
Outcomes we target.
Clear prioritization
Every finding is rated by severity and ordered by impact-to-effort ratio. You walk away knowing what to fix first and why, not with a flat list of 47 items with no guidance.
Actionable recommendations
Recommendations written for engineers who need to implement them, not for consultants who need to invoice another engagement. Where possible, we include code examples.
Decisions made with confidence
Whether you're deciding to rebuild, migrate, or stay, the goal of the strategy work is to give you the information to make that decision without wondering what you're missing.
Audit scope and depth vary by engagement. The report is a point-in-time assessment. Findings may change as the codebase evolves after delivery.
Common questions
Things people ask first.
If your question isn't here, send a note. Most replies come back the same business day.
-
What does a technical audit cover?
A full technical audit covers: code quality and architecture review, Core Web Vitals performance analysis (LCP, INP, CLS), accessibility conformance against WCAG 2.2 AA, security surface review (exposed API keys, CSP headers, third-party scripts), integration reliability review, and SEO technical foundation check. You receive a written report with findings categorized by severity and prioritized recommendations. Scope can be narrowed to a single area (performance-only, accessibility-only, etc.) for a faster turnaround. -
How long does an audit take?
A focused single-area audit (performance-only, for example) typically takes three to five business days. A full technical audit covering code, performance, accessibility, and security takes seven to ten business days. Timeline starts from when we have access to the codebase and any relevant staging environment. -
What do I get at the end of a strategy engagement?
A written document. Not slides, not a Notion board. Depending on the scope: a platform migration blueprint with data mapping, risk register, and timeline estimate; a stack evaluation comparing two to three options with tradeoffs stated explicitly; or a technical roadmap with prioritized initiatives tied to business goals. The deliverable is designed to be handed to a technical team or a board, depending on what you need. -
Do you implement the recommendations after the audit?
That's up to you. We offer both audit-only engagements and audit-plus-implementation. An audit-only engagement gives you the findings and you implement them yourself or with another vendor. An audit-plus-implementation adds a scoped build engagement where we fix the prioritized issues. The audit scope doesn't change either way. The recommendations are honest regardless of whether we do the follow-on work.
Know what you're working with.
Tell us what platform you're on, what you're trying to decide, and what access you can provide. We'll scope the engagement and respond within one business day.