Design → Engineering Handover

CyberSight Forensics marketing website

Everything Engineering needs to build the site cleanly: the approved design reference, the policy pages, brand assets, the form-backend architecture (database + WhatsApp), and the legal Go-Live Gate. The design is final and legally cleared at launch wording — this pack tells you what to build, what to wire, and what must be true before it goes public.

BUILD-READY — start now PUBLIC LAUNCH — gated on the Go-Live Gate
Matter BTC-CS2026 Pack DS-HO-0001 · A1-C01 Date 13 June 2026 Design status Tier-1, Themis-cleared

Read me first

The one rule that governs everything

Build proceeds now. The site does not go public until the Go-Live Gate is cleared and Themis signs off against the live build. Nothing in this pack blocks you from building — the constraint is on going public, not on building.

The copy on the site is immutable: it is Themis-approved Tier-1 wording (verbatim from WD-0001). Any wording change re-triggers legal sign-off, so treat all visible text as locked content — build it as discrete, swappable copy blocks but do not paraphrase. Real-world facts that aren't known yet render as visible [bracketed placeholders]; each is wired as a one-line swap (see Outstanding facts).

Two source documents rule the build. legal/IN-0001 is the master worklist + Go-Live Gate — build against it top to bottom. legal/WD-0001 holds the exact copy to paste. This pack is the map; those two are the authority.

Visual tour

What you're building

A single-page marketing site (seven sections) plus a policies page that splits into five routes in production. Light/dark theme toggle, keyboard-and-screen-reader accessible (WCAG 2.2 AA), no cookies, no analytics. Screens below are from the approved reference build.

Website hero: 'Forensic clarity, supporting justice.' headline beside an evidence-record card
01 · HeroHeadline, sub, dual CTA (pilot intake + services) and the signature "evidence record" card. Header carries search, language picker, theme toggle and a mobile menu.
Core services section with capability cards
02 · ServicesSix capabilities on a documented standard. Card grid, amber dot motif.
Process section: intake to documented report, four steps
03 · ProcessIntake → acquire → analyse → report. Emergency triage scoped to retainer clients (Tier-1).
Engagement structure: three pricing tiers
04 · EngagementThree ways to work together. SLA language carries "target"/retainer scoping.
Compliance and certifications section, Lawful by design
05 · Compliance"Working towards" wording only — no badges. This is the legally-sensitive block; do not alter copy.
Contact section with enquiry form
06 · Contact / enquiry formThe form you'll wire to a backend (see Form & data). Fields: name, org, work email, phone, interest, message.
FAQ section
07 · FAQCommon questions. Answers 1 & 5 carry the retainer-only emergency scoping.
Footer with legal block, registered office, ICO number and non-affiliation disclaimer
Footer · legal blockRenders site-wide. Registered name + office (config values), company no. 15312330, ICO ZC098139, non-affiliation disclaimer, "Working towards" line, and the five policy links.
Policies page top with build note and route list
Policies pageFive statutory pages in one reference file — /privacy /cookies /terms /accessibility /modern-slavery. Verbatim WD-0001 copy; highlighted brackets are facts to supply.

What's in the pack

File map

FileWhat it isFor
CyberSight Website.htmlThe design reference — fully interactive. Build the production site to match this.Engineering
CyberSight Policies.htmlThe five policy pages (verbatim approved copy). Ship as separate routes.Engineering
Facts Pack Request.mdFill-in sheet for every outstanding real-world fact.Principal
Form Backend Build Brief.mdEnquiry capture → database → WhatsApp architecture + SP-0001 compliance map.Engineering
legal/IN-0001Master worklist + Go-Live Gate. Build against this.Engineering
legal/WD-0001Approved verbatim copy (D-1→D-9). Paste exactly.Engineering
legal/SP-0001Legal requirements for the form backend (the brief above implements these).Engineering
audits/Site AuditSecurity, bugs, SEO, performance, responsive, UK-legal review. Baseline CSP here.Engineering
audits/WCAG AuditAccessibility audit + contrast table. Non-negotiables to preserve.Engineering
brand/Brand GuidelinesColour, type, logo usage rules.Engineering / design
exports/Logo marks (SVG + PNG, all variants); favicon; OG image.Engineering

Do not ship tweaks-panel.jsx or #tweaks-root. That's design-review tooling only — strip it from the production build (see Build notes).

Design system at a glance

Tokens & type

Full rules live in Brand Guidelines. The essentials:

Colour

Parchment#f8f7f4
Ink#1c2530
Navy#23436c
Navy bright#3a6296
Amber#e7a13d
Muted#5c646f
Rule#dad7d2

Amber is the single accent — used sparingly for kickers, the evidence-card icon, and primary emphasis. Navy-bright is the focus-ring colour (3px, 2px offset).

Type

Forensic clarity
Space Grotesk 400/500/600 — display & headings
Body copy runs in Source Sans 3 at 16–17px, line-height ~1.65.
Source Sans 3 400/600 — body
EVIDENCE RECORD · 01
IBM Plex Mono 400/500 — labels, kickers, data

All three are SIL Open Font Licence — self-host WOFF2 subsets with font-display: swap for production (don't ship the Google Fonts CDN link).

Logo

CyberSight scan mark (reversed)
CYBERSIGHT FORENSICS

Site uses cybersight-mark-scan-reversed.svg on dark grounds and cybersight-mark-scan-badge.png as favicon. The wordmark is live text (Space Grotesk 500, 0.12em tracking), not an image. focus/sight mark variants are alternates, not used on the site.

Build notes

Engineering checklist

Full detail in Site Audit and IN-0001. The headline tasks:

TaskDetailFlag
Strip review toolingRemove the Tweaks panel scripts + #tweaks-root — must not ship.Required
Self-host fontsWOFF2 subsets, font-display: swap; drop the CDN link.Required
Form backendBuild to the Form Backend Build Brief + SP-0001. Report back the four/five items.Blocker
Security headersCSP, HSTS max-age=31536000; includeSubDomains; preload, nosniff, X-Frame-Options: DENY, Permissions-Policy. Baseline CSP in the audit.Required
Policy routesSplit the policies file into /privacy /cookies /terms /accessibility /modern-slavery; wire the footer links (currently #).Blocker
OG image + JSON-LDCreate og-image.png (1200×630); extend JSON-LD address + sameAs once known.Required
Real URLsCanonical domain; real social URLs with rel="noopener noreferrer".Required
Welsh "coming soon"The language picker must not 404 on a Welsh selection — wire the WD-0001 D-8 holding state.Advised
Pen-test + live reviewCommission a penetration test; audits are advisory. Themis re-checks the live build.Advised

Accessibility is non-negotiable (WCAG 2.2 AA met). Preserve: skip-to-content link, landmark structure + single h1, 3px focus-visible rings (2px offset), explicit image width/height, form label[for] + aria-describedby hints + role="status" confirmation, prefers-reduced-motion, ≥44px touch targets, 16px min input font. Detail in the WCAG audit.

Form & data

Enquiry capture → database → WhatsApp

The enquiry form stores submissions in a database and alerts the team on WhatsApp. The full spec — schema, API contract, security, retention and the SP-0001 compliance map — is in the Form Backend Build Brief. The architecture:

Browser (static, no trackers) │ HTTPS POST (TLS 1.2+) ▼ ┌──────────────────────────────────────────────┐ │ /api/enquiry (UK/EEA region) │ │ origin/CSRF · rate-limit · honeypot │ │ server validation · PII stripped from logs │ └───────────────┬────────────────┬─────────────┘ │ │ write (encrypted at rest) │ trigger only — NO PII ▼ ▼ ┌──────────────────┐ ┌──────────────────────────┐ │ Database (UK/EEA)│ │ WhatsApp Business API │ │ enquiries · RBAC │ │ → alert staff: "new │ └────────┬─────────┘ │ enquiry — open console" │ │ └──────────────────────────┘ Admin console (authenticated) — staff read PII here │ Scheduled job: delete enquiries > retention period

The key decision: a PII-free WhatsApp alert

WhatsApp/Meta sits outside the UK/EEA. The alert carries no enquirer personal data — just "new enquiry + timestamp + reference id". Staff open the authenticated console to read it. This keeps all enquiry PII in the UK/EEA store and keeps Meta out of the enquiry-data chain (no extra transfer mechanism needed).

Recipients are staff, not the enquirer

The notification goes to CyberSight's own staff number(s) — the enquirer is never messaged on WhatsApp. The send is best-effort and decoupled: if WhatsApp fails, the enquiry still stores and is picked up in the console. Never block capture on a notification, never put PII in a retry payload or log.

Hard gate (SP-1): the form must not store or send anything until the Privacy Policy is live and linked. Build capture disabled-by-default and gate it on that. Providers (form/email, hosting, DB, WhatsApp) each need UK/EEA residency + an Art 28 contract on file before use — the form/email and hosting names then fill the brackets in the Privacy Policy (WD-0001 D-3).

Go-Live Gate

All must be true before public launch

From IN-0001. Blocker = hard gate. Return completed items to Themis quoting the item numbers; Themis re-checks the rendered live build before sign-off.

Blockers (hard gate)

  • 1Footer shows the currently-registered company name + number 15312330 + registered office + England & Wales.
  • 2ICO line shows ZC098139.
  • 3Privacy Policy live and linked before any enquiry capture is enabled.
  • 4All uncertified certification badges removed; only held certs shown (with register link); "Working towards" text-only line in place.
  • 5Service-level claims revised and the company holds the substantiating evidence.
  • 6Emergency-response wording qualified in all four locations (stats strip, process step 01, contact line, FAQs 1 & 5).
  • 7Forensic-standards claims at Tier-1; no "court-ready" / badges / expert-witness-as-capability.
  • 8Themis sign-off against the live build recorded.

Required at/before launch

VAT line resolved · form backend meets SP-0001 · Cookie Policy live · Terms live · gov-affiliation disclaimer site-wide.

Advised

Accessibility statement (audit-dated) · Modern Slavery decision · Welsh "coming soon" state · trade-mark clearance · "Website by" credit confirmed.

Outstanding facts

What the Principal still owes

These render as visible [placeholders] today and each swaps in as a one-line config/content change. The full fill-in sheet is the Facts Pack Request — please complete and return it so nothing is missed at the gate.

FactStatus
Registered office addressResolved 12 Jun
Company no. 15312330 · ICO ZC098139In build
Company rename status (Companies House)Gate
VAT number or "not registered"Gate
Site contact email (confirm support@cybersightforensics.com)Needed
Certifications actually held (numbers + dates)Gate
Evidence for each SLA targetGate
FSR activities · ISO 17025 / CREST / NCSC statusGate
Form/email + hosting providers (+ residency, Art 28)Gate · Eng
WhatsApp recipient number(s) + approve PII-free designNeeded
Retention period (confirm 12 months)Gate
Canonical domain · go-live date · social URLsNeeded
Modern Slavery keep/remove · "Website by" credit · Welsh obligation · trade-markDecisions