Giroteam
Solutions / Cloud & Infrastructure

Foundations
that scale predictably —
and bill predictably.

Cloud architectures designed around your actual workload — not the vendor slide deck. Cost-aware, observability-first, infrastructure-as-code from day one. The kind of foundation you stop thinking about.

Book an architecture review See architecture choices
Provisioning
100 %
as code
Median saving
38 %
post-audit
Reliability target
99.95 %
monthly
infra · live status
ALL SYSTEMS NORMAL
Edge · CDN
Compute · 2 AZ
Data tier
Observability
REGION · EU-WEST-1 CDN CloudFront 42 PoP · WAF ALB load-balance COMPUTE · AZ-1 ECS Fargate · 4 tasks autoscale · CPU 34% COMPUTE · AZ-2 ECS Fargate · 4 tasks autoscale · CPU 31% DATA · primary + replica PostgreSQL 16 · RDS Multi-AZ · PITR · automated backups S3 · objects + audit versioning · lifecycle · cross-region CACHE · QUEUE ElastiCache · SQS Redis cluster · DLQ enforced SECRETS · KMS rotation · IAM-scoped
Uptime · 30d99.97 %
P95 latency142 ms
Error rate0.04 %
Cost vs budget€ 4,820 · 86%
↳ Live topology + telemetry from a client deployment. Region and account identifiers redacted.
§ 01 / Thesis

The cloud bill is
a design artefact.

Most cloud overspending isn't a procurement problem — it's an architecture problem one or two diagrams ago. By the time the invoice arrives, the decision that caused it is months old.

We design cloud the way other engineers design databases: workload first, cost shape inferred, observability planned, vendor coupling minimised — before any resource gets provisioned.

What we will build
  • Right-sized greenfield architectures
  • Cost & reliability audits with written verdicts
  • Migrations from on-prem or legacy clouds
  • Observability-first platform foundations
What we won't
  • Multi-cloud-for-resume reasons
  • Kubernetes when ECS or a single VM would do
  • Premium managed services without a workload reason
  • "Lift & shift" with no architectural verdict
§ 02 / The ladder

Most teams over-build by two rungs.

There is a ladder of architectural complexity. Each rung up costs more — in money, latency, on-call burden, and time to onboard a new engineer. The right architecture is the lowest rung that fits the workload.

▁ R · 01
Single VM + managed DB
≤ 100 RPS
low
If your traffic fits one VM, it should run on one VM. Snapshots are cheap, debugging is trivial.
▂ R · 02
Containers · ECS Fargate
≤ 5k RPS
low–med
Auto-scale, multi-AZ, no node management. The default for almost every business workload we ship.
▃ R · 03
Containers + read replicas + cache
≤ 50k RPS
medium
Where most growth-stage SaaS lives. Vertical scaling exhausted, horizontal isn't yet warranted at the data tier.
▄ R · 04
Sharded data + queue-driven workers
≤ 500k RPS
high
Real horizontal scale. Earned, not architected for fun. Most teams don't need this.
▅ R · 05
Multi-region + Kubernetes + service mesh
global · regulated
very high
A platform team's full-time job. We've built this. We've also un-built it for clients who didn't need it yet.

↪ The first rung your workload can't sustain is the rung you should be on. Not the rung your last conference talk was about.

§ 03 / What we build

Six shapes of infrastructure work.

The actual archetypes our cloud engagements fall into. Most clients combine two or three.
A · Greenfield

New platform foundations

Designing the cloud spine for a new product or business unit. Cost shape, observability, and security baked in before the first deploy.

Output → IaC repo · runbooks · dashboards
B · Migration

On-prem & legacy migrations

Strangler-fig moves from datacentre, Heroku, or older AWS estates into a modern, audited, costed cloud foundation. No big-bang.

Output → cutover plan · slice-by-slice
C · Cost audit

FinOps & cost audits

A structured pass over an existing estate. Median saving across our audits is 38% — usually without compromising reliability or velocity.

Output → ranked savings · written brief
D · Reliability

Reliability & SRE bring-up

SLOs, alerting, on-call runbooks, post-mortem culture. Often where the team is one outage away from being convinced they need it.

Output → SLOs · pages that mean something
E · Security

Hardening & compliance

IAM tightening, secrets handling, network segmentation, audit trails. The plumbing your SOC2 / ISO auditor expects to find before they ask.

Output → controls · evidence · trail
F · DevEx

CI/CD & developer platform

The pipes that make shipping cheap and safe — pipelines, environments, previews, feature flags. Velocity is a property of the platform, not the team.

Output → deploy in < 8 min · zero-touch
§ 04 / Reliability

The boring scaffolding
that makes infrastructure
forgettable.

None of these are optional in our work. Together they're the difference between an architecture diagram and a thing your team trusts at 3am.
R · 01non-negotiable

Infrastructure as code

Terraform or CDK, version-controlled, reviewable. The cloud console is for reading, not writing. No clicked-into-existence resources.

R · 02non-negotiable

Observability first

Logs, metrics, traces wired in before the second feature ships. You hear about the fault before your customer does. Always.

R · 03non-negotiable

Tested backups

Every backup restore-tested on a schedule. An untested backup is a hope, not a recovery plan.

R · 04non-negotiable

Zero-touch deploys

One PR merge → production in under ten minutes, with rollback in seconds. Heroes are a smell; pipelines are the answer.

R · 05non-negotiable

Least-privilege IAM

No long-lived keys. Scoped roles per service, audited at review-time. A breach should fail to escalate, not fail to detect.

R · 06non-negotiable

Cost telemetry

Cost-per-tenant, cost-per-feature, cost-per-deploy — surfaced in the same dashboards as latency. You can't optimise what isn't observable.

§ 05 / Provider choice

AWS, GCP, Hetzner — and when each is right.

We're cloud-agnostic by design. The architecture decides which provider runs each tier — usually one, occasionally two, never "multi-cloud because Gartner".
AWS
Default for most workloads
Mature ecosystem, deep IAM, best-in-class managed data services.
Egress-heavy workloads, simple monoliths where Hetzner is 8× cheaper.
GCP
Data-heavy & ML stacks
BigQuery, Vertex, simpler networking, often kinder pricing on egress.
Teams already deep in AWS-native services with no clear migration win.
HETZNER
Cost-aware EU workloads
Bare-metal pricing, EU sovereignty, plenty for stable workloads.
Heavy reliance on managed services, regulated sectors expecting hyperscaler lineage.
AZURE
Enterprise & M365 estates
Existing MS licensing, AD integration, regulated industries.
Greenfield SaaS without an existing Microsoft footprint.
Cloudflare
Edge & perimeter
CDN, WAF, DDoS, Workers for edge logic. Almost always part of the stack.
Stateful core compute — that belongs in your primary cloud.

↪ Architectures behind adapters: switching primary providers should take a quarter, not a rebuild.

§ 06 / Method

Four phases — no big-bang at any of them.

Whether we're greenfielding or migrating, the rhythm is the same: diagnose, design, deliver in slices, and stay long enough to hand off cleanly.

Phase 01 — 2 weeks

Audit

Existing estate read end-to-end: cost, reliability, security, velocity. Output: a written brief and a ranked verdict.

Phase 02 — 2–4 weeks

Design

Target architecture chosen on the ladder. IaC repo scaffolded, network + IAM model agreed, cost model written down.

Phase 03 — 1–4 months

Deliver

Slice-by-slice cutover. Every slice is independently revertable. The team rehearses rollback before it ever runs in production.

Phase 04 — ongoing

Operate

We stay on as the platform grows: tuning, evolving, transferring knowledge to your team — until you no longer need us.

§ 07 / Engagement

Three ways to start.

Tier 01Fixed fee

Audit

Two-week structured review of an existing cloud estate: cost, reliability, security, developer velocity. Written brief at handover.

DURATION2 weeks
TEAM2 senior
PRICINGFixed fee
  • Ranked savings list (median 38%)
  • Reliability & security verdict
  • Written brief — yours to keep
Brief an Audit →
Tier 02 · most common

Build / Migrate

End-to-end design and delivery of a new cloud foundation, or a slice-by-slice migration from on-prem or legacy clouds.

DURATION2–6 months
TEAM2–4 senior
PRICINGT&M with cap
  • 100% IaC, version-controlled
  • All six reliability standards baked in
  • Knowledge transfer from week one
Scope a Build →
Tier 03Long-term

Operate

We own the platform end-to-end as your fractional infra team — on-call, evolution, FinOps — until your team takes the keys.

DURATION6+ months
TEAMEmbedded
PRICINGMonthly retainer
  • SLA-backed (target 99.95%)
  • Quarterly cost & reliability review
  • Hand-off plan from day one
Discuss Operate →

↪ Indicative. Every engagement is scoped from a written brief — no hourly surprises, no change-request theatre.

§ 08 / Proof

A SaaS platform cut its bill from €32k to €11k a month — while improving reliability.

Monthly cost
−66%
€32k → €11k
Uptime · 12mo
99.97%
▲ from 99.81%
Deploy time
7 m
▼ from 51 min
"We didn't change clouds. We changed the architecture inside the same one, and stopped paying for things we didn't use."
— CTO · Iberian SaaS · NDA
Read the full caseAll case studies
§ 09 / Objections

The questions we hear on every first call.

Mostly versions of "are we on the wrong cloud", "can we actually leave", and "what about Kubernetes". Fair questions.

Q · 01

"Should we be on AWS / GCP / Azure / Hetzner?"

+
Probably the one you're already on, with the architecture changed. Re-platforming is rarely worth it on cost alone — re-architecting almost always is. The audit names which.
Q · 02

"Do we need Kubernetes?"

+
Almost certainly not yet. ECS Fargate, Cloud Run, or even a single well-tuned VM handle the workload of most growth-stage businesses. We've installed Kubernetes; we've also un-installed it. Both are valid moves.
Q · 03

"How do we leave a cloud if we have to?"

+
The answer starts at the architecture, not the contract. Provider-neutral primitives where possible (containers, Postgres, S3-API), provider-specific where the value is real (IAM, queues). Switching primary providers should take a quarter, not a rebuild.
Q · 04

"What's the smallest engagement that's worth it?"

+
The two-week audit. Most clients recover its cost in the first month from the ranked savings list — and roughly a third stop there with the brief in hand and never need a follow-up.
Q · 05

"Can you work alongside our existing platform team?"

+
Most engagements have one. We pair on PRs, review architecture together, and treat your engineers as the eventual owners. The hand-off plan is part of the architecture from week one — not a closing slide.
Currently accepting Q3 engagements

What's the line on your cloud bill nobody can fully explain?

That's the right place to start. Bring it to a 30-minute call — we'll tell you, honestly, what the audit would find and what it would take to fix it.

Primary
Book an architecture review
30 min · video · EN/ES/DE
Or — written
hello@giroteam.com
Reply within one working day.