Why Every Heed Build Sits Behind Cloudflare Zero Trust

The "we are too small to be a target" assumption is wrong, but it is also irrelevant. The reason every Heed build sits behind Cloudflare Zero Trust has less to do with hypothetical attackers and more to do with a real, recurring scenario: the SMB lands an enterprise client, the enterprise security team sends a 60-page questionnaire, and the SMB realizes they cannot answer half of the questions.

That moment is where deals stall, contracts get rewritten, or the engagement gets handed to a competitor with better security posture. Cloudflare Zero Trust is the operating answer that fits the SMB budget, scales with the firm, and produces audit-grade evidence on day one.

What Zero Trust Actually Means in 2026

"Zero Trust" started as a security marketing term and became a real architecture somewhere around 2019. By 2026, it means five concrete things, all of which Cloudflare delivers as a SaaS layer in front of whatever you are running.

Identity-aware proxy. Every request to your custom app routes through Cloudflare's edge first. Cloudflare verifies the user's identity against your IdP (Microsoft Entra ID, Google Workspace, Okta, or similar), checks the access policy, and only then forwards the request to the application. Unauthenticated traffic never touches your origin.

Edge enforcement. Access decisions happen at Cloudflare's edge, not at your application. This means the application itself does not need to implement authentication, session management, or policy logic. It just trusts the headers Cloudflare injects after authentication.

No VPN. The legacy VPN model ("if you are inside the network, you are trusted") is gone. Every request, from every user, on every device, is evaluated independently. Working from a coffee shop or a CFO's home office is the same security posture as working from the office.

Per-user, per-app access policies. The CFO can hit the financial dashboard. The intern cannot. The auditor can hit the read-only audit log. Nobody else can. Policies are written once and enforced everywhere.

Continuous re-authentication and audit logging. Cloudflare logs every authentication event, every access decision, and every policy evaluation. The log is exportable, searchable, and the kind of artifact enterprise security reviewers want to see.

How We Wire It Into Custom AI Builds

The Heed pattern is consistent across every build, whether it is a structural engineering firm or a high net worth law practice. Here is the architecture.

Workers Access in front of every dashboard route. Every URL that exposes a UI or an API sits behind a Cloudflare Access policy. The policy specifies who, when, from where, and on what device. If the request does not match, it never reaches the application.

Service tokens for connectors. When the application talks to QuickBooks, Salesforce, Lawcus, RingCentral, or any other backing system, it uses a Cloudflare service token, not a shared password. Tokens are short-lived, scoped, and audited.

Per-action audit logging. On top of the access logs Cloudflare provides, we log every material action the user takes inside the application. Who viewed which client record. Who triggered which AI agent. What prompt and what response. That log is the evidence layer for ISO 42001, SOC 2, and HIPAA, depending on the build.

Identity provider integration. We integrate Cloudflare Access with whichever IdP the firm already runs. For most clients that is Microsoft Entra ID (formerly Azure AD), Google Workspace, or Okta. The user signs in once, and that identity follows them across the application, the connectors, and the audit log.

The Economics

Cloudflare Zero Trust pricing is the part that makes the whole thing feasible at SMB scale. Cloudflare charges between $7 and $10 per user per month for the Zero Trust tier most of our clients run on. For a 50-person firm, that is roughly $5,000 per year. Compare that to what it costs to spin up a comparable internal IAM stack from scratch.

That math is why we do not even have a conversation about building this layer ourselves. Cloudflare's edge runs in 320+ cities. The SOC 2 and ISO 27001 certifications are theirs. The 24/7 operations team is theirs. We just configure it.

Compliance Posture

ISO 42001, SOC 2, HIPAA, and the EU AI Act all care about access control. The questions they ask look like this. Who can access this data? How do you know? When were they granted access? When was that access revoked? What did they do during their session? Show me the log.

For HIPAA-regulated clients, Cloudflare signs a Business Associate Agreement. For SOC 2 audits, Cloudflare's own SOC 2 Type II report is part of your evidence package. For ISO 42001, the access controls and audit logs satisfy several of the most demanding clauses without additional engineering.

Reference Builds

Both of the case studies we publish on this site sit behind Cloudflare Zero Trust. California's largest hillside structural engineering firm runs ~20 users with Microsoft Entra ID SSO behind Cloudflare Access. The firm's BCF compliance posture, the audit log, and the per-user access policies are all driven from that one configuration. The full architecture is in the structural engineering case study.

The Encino-based estate and family law firm serving high net worth families has even tighter requirements. Per-matter access controls, per-attorney session policies, and an audit log that survives a privilege review. Cloudflare Zero Trust sits in front of the entire employee dashboard, the Lawcus connector, the RingCentral integration, and every AI agent. The full picture is in the law firm dashboard case study.

The Bottom Line

If you are running a custom application without an identity-aware proxy in front of it, you have a security exposure and a compliance gap. Both get worse the bigger your client base gets. Cloudflare Zero Trust is the cheapest, fastest, and most defensible answer. Every Heed build uses it. There is more detail on our security page, but the short version is: this is non-negotiable, and the math says it should be.