How NECC Delivers Compliant Infrastructure for Global Autism Education.

NECC needed to meet HIPAA and UAE data protection requirements and was also looking to increase development velocity while maintaining performance. Their setup spanned across three jurisdictions with a lean engineering team and no dedicated DevOps specialists. Cycle gave them the container orchestration and hands-on support to do it without the complexity of Kubernetes.

Industry

Healthcare Technology

Size

15,000+ users

Operations

New England (USA), Abu Dhabi, Dubai, and global clients

necc-1-dark

The Company

Currently celebrating its 50th anniversary, The New England Center for Children (NECC)’s mission is helping children with autism reach their potential. Alongside its flagship campus in New England, the organization operates an institute and school in Abu Dhabi and a clinic in Dubai, which serve clients around the world.

At the heart of its technology operation is its ACE ABA Software System, a proprietary software platform that supports the teaching methodology that NECC has refined over decades. Joe Toubia, who joined as CTO in early 2025, oversees both ACE and an engineering team of between 10 and 15 people within a broader organization of around 40. Attempts to increase development velocity had come at the expense of platform stability. So Toubia’s mandate was to restore stability, then build the development velocity that growth would require, without compromising the security and compliance obligations that NECC’s users demand. As part of these efforts, “there has been a great consolidation around Cycle,” Toubia says.

When Your Data is Particularly Sensitive

Since the NECC works directly with children, collecting and storing sensitive records about learners who fall under both educational and healthcare obligations, it must conform to stringent data protection requirements: the HIPAA (Health Insurance Portability and Accountability Act) in the United States, and equivalent data protection frameworks in Abu Dhabi and the UAE.

Data residency is the most obvious. Regulations in different jurisdictions determine where data can physically live and who has the right to access it. At the most demanding end of interpretation, this means entirely separate database clusters per region with no cross-border replication. NECC manages the non-technical dimension such as document and file sharing, identity, and access management, through Microsoft’s ecosystem. That provides data residency in the relevant regions and allows NECC to operate separate tenants with appropriate controls for each organizational entity.

NECC’s challenge was how to meet these requirements with a lean engineering team, without building the kind of specialized DevOps capability that compliance infrastructure can demand.

Choosing Cycle

Cycle was already part of the NECC stack when Toubia joined, selected by his predecessor in the hope of reducing the decision burden of running containers at scale. “If you’re going to do Kubernetes, you’ve got to make 20 different decisions,” Toubia explains. “But the DevOps team here are not equipped or skilled enough to accurately make those decisions and live by them.” Cycle was the alternative that didn’t require NECC to become infrastructure experts.

When he arrived, Toubia found a platform he could build on — and a support team willing to engage with challenging problems. His central concern was the treatment of traffic inside Cycle’s own network. “Most cyber attacks come from the inside,” he notes. A compromised container that could eavesdrop on, or tamper with, its neighbors represents a real risk in a system carrying sensitive learner data. That assumption drove a detailed technical conversation with Cycle’s team that shaped the resulting architecture.

"We moved one of our platforms to AWS and didn't want to use Kubernetes. Nor did we want to make a bunch of DevOps decisions on which bundle of tools to use with it. With Cycle, we gained a streamlined PaaS that enabled us to move faster from day one."
JT
Joe Toubia
CTO//NECC

The Architecture

NECC is roughly 80% of the way through migrating from a legacy Java monolithic web app to a set of Python microservices. The target architecture segments the application by domain: each logical area of the product has its own frontend, and related backend, services. Those services are loosely coupled and independently deployable, but logically grouped in a way that lets any one part of the system change without touching the rest. A MySQL database sits underneath. 

The application infrastructure is separate from the Microsoft ecosystem: AWS provides the compute layer; Cycle sits above it as the PaaS layer, handling container orchestration and CI/CD. Cloudflare handles the edge: CDN, DDoS mitigation, and rate limiting. Rather than using Cycle’s DNS features, NECC runs a Cloudflare agent as a tunnel outbound from Cycle to Cloudflare, keeping the perimeter clean without exposing ports directly to the public internet.

The security architecture inside Cycle is where Toubia has invested the most. TLS is not offloaded at the load balancer. Every container carries its own TLS certificate pair, rotated using Cycle’s scope variables. No container trusts communication with another by default. When container A needs to talk to container B, A must first authenticate its own identity; B must then verify that A is authorized to make that connection. This pattern of mutual authentication and per-service authorization is implemented using a locally hosted Keycloak instance. “I have all three baked in within Cycle — the tunnelling through TLS, authentication through Keycloak, and authorization within each service”, explains Toubia.

Access policy is equally strict outside containers. There is no VPN, jump box, or backdoor access to any environment. Engineers and administrators reach systems through the same front door that customers use. “There’s no back door — it’s a potential weak link,” Toubia says.

The CI/CD pipeline reflects the same philosophy. Source code is managed in Bitbucket, with runners hosted inside Cycle. Before any build is promoted, the pipeline runs static code analysis — now handled by Claude, replacing a previous SonarQube subscription — and CVE scanning against container images using Trivy and Docker’s own tooling. Images that pass those checks are saved in Cycle’s image store, eliminating the need for a separate registry. Penetration testing runs continuously against what is publicly exposed; performance testing gates every promotion before a service reaches customers.

The Results

For a team of 10 to 15 engineers carrying compliance obligations across three jurisdictions, that architecture represents a significant investment. But the return is measurable on several fronts:

  • Cost consolidation: Cycle’s image store and build cache replaced two separate tools: Cloudsmith, which NECC had been using as a container registry; and Depot, which had been providing build acceleration. SonarQube was retired in favour of Claude for static code analysis. Bitbucket runner costs fell by hosting runners inside Cycle rather than paying for native Bitbucket infrastructure.
  • Security as a first-class capability: “Security has been baked in as a first-class capability,” Toubia says. “It’s a feature, not an afterthought.” The multi-layer architecture — Cloudflare at the edge, mutual TLS between containers, Keycloak-based authentication, no-VPN access policies, and a pipeline with mandatory security gates — means the attack surface is narrow and well understood. Regular penetration testing validates the perimeter; the internal network is hardened independently of whatever reaches it from outside.
  • Operational transparency: Before Cycle, the stack was opaque. Container logs were accessible only to DevOps engineers, and even then with limited insight into what was happening on the underlying infrastructure. Cycle’s dashboard gives engineers direct visibility into container state, logs, and configuration, with underlying AWS resource utilization visible alongside. “It’s just wonderful visibility,” Toubia says.
  • A platform for development velocity: With stability restored, Toubia is using Cycle to accelerate the remaining microservices migration and shorten development cycles. Consistent environments across development, test, and production — combined with automated promotion gates — give the team the confidence to move faster without reintroducing the previous instability.
  • Support as extended capability: For a lean team without dedicated infrastructure specialists, perhaps the most important benefit is the least tangible.
“Their customer support is stellar,” Toubia says. “I can get hold of them at any time. They go into application-level issues that aren’t even Cycle’s problem. They’re diligent. They feel like another extension of the team.”

The alternative — hiring expert-level DevOps engineers and making all 20 of those Kubernetes decisions independently — would cost significantly more and introduce its own complexity.

“I don’t know why Cycle doesn’t promote it more,” Toubia reflects. “It’s like your team away from home. Cycle has pulled these experts together so you don’t need to worry about making big DevOps-style decisions. That’s really good for operations that don’t have the experts and don’t want to hire them.”

The next challenge on NECC’s roadmap is post-quantum cryptography. As quantum-resistant encryption standards mature and browser support expands, Toubia plans a hybrid approach — adopting early post-quantum protocols alongside current TLS — to prepare for a transition that may still be years away, but is worth starting now. It is forward-looking, and consistent with an organization that treats security not as a cost of doing business, but as a capability in its own right.

NECC serves children with autism and their families across the United States, Abu Dhabi, Dubai, and internationally, through a combination of direct education, research, and a proprietary learning platform used by practitioners worldwide.

Cookies

Cookies Preferences

We run basic, anonymous analytics by default to measure site traffic. By clicking "Accept," you allow additional cookies for advanced app improvements and tailored advertising. Choose what you share by clicking "Customize."