← Back to all work
AUDITSECURITYCRM

The CRM that was never
built

A luxury retail client paid for a year of development. What they received was incomplete, insecure, and unshippable. Our 2-day audit changed everything.

Product auditCode reviewCRMLuxury retail2026
CRM audit report preview
2DAYS TO COMPLETE THE FULL AUDIT
4CRITICAL SECURITY VULNERABILITIES FOUND
30%OF CONTRACT VALUE SAVED — THE FINAL PAYMENT NEVER MADE

[ The situation ]

A year of payments.
Zero working product.

Our client operates in the high-end resale market — authenticated luxury goods, private clientele, and transactions where trust and discretion are non-negotiable. The business handles a curated inventory of premium items and maintains long-term relationships with high-net-worth buyers who expect the same level of service they receive from the brands themselves.

Thirteen months prior, they had signed a contract with an IT company to build a custom CRM — client profiles, purchase history, inventory management, and transaction records. The agreed timeline was five months. The budget was fixed.

Five months passed. The product wasn't delivered. Instead of a working CRM, the client received a revised proposal — with the price doubled. The original team was replaced. Work continued. Eight months later, the new team reported they were “almost done.” The client had now been waiting over a year, had paid a substantial portion of the inflated budget, and still had nothing functional in hand. They reached out to us for one thing: an honest assessment of what had actually been built.

[ How it unfolded ]

Twelve months of missed
milestones

[ MONTH 1–2 ]

Contract signed, development begins

Contract agreed on a fixed budget and a 5-month delivery timeline. Initial architecture discussions held, first wireframes delivered.

[ MONTH 5 ]

Deadline missed — price doubled

No working product delivered. The original team presents a revised proposal: the scope “turned out to be larger than expected.” New price — double the original. The client, already invested, agrees under pressure.

[ MONTH 6 ]

Original team replaced

The vendor swaps the development team without clear explanation. Promises are reset. A new timeline is given.

[ MONTH 13 ]

“Almost ready” — again

Eight months after the team change, the new team reports the product is nearly complete. No demo. No delivery date. The client has now been waiting over a year and paid the majority of the inflated budget.

[ DAY 1–2 ]

Codeit Dynamics audit begins

Our team receives full access to the codebase, database, and architecture documentation. Deep technical review starts immediately.

[ What we found ]

The audit results were alarming

In 48 hours, our engineers completed a full review of the codebase, database structure, API layer, and security configuration. What we found went far beyond “unfinished.” The product had fundamental architectural and security failures that would have put the client's business — and their customers — at serious risk.

CRITICAL

Customer data exposed

Client records, purchase history, and personal details were stored without proper access controls — effectively accessible without authentication.

CRITICAL

Fragmented, disconnected codebase

The system was built in isolated pieces with no unified architecture. Modules didn’t communicate reliably, causing constant crashes and data loss.

CRITICAL

No security layer

Basic protections — input validation, encrypted storage, session management — were either missing or incorrectly implemented.

CRITICAL

~20% completion, not 80%

Despite claims of being “almost ready,” the actual functional completion was estimated at under 20%. Core CRM workflows were entirely absent.

[ Our deliverable ]

A 48-hour audit that saved a year of future losses.

We delivered a full written audit report with a detailed breakdown of every finding, severity level, and its business impact. The report was structured to be understood by both the client's technical team and legal counsel — because what we found wasn't just a technical problem.

Our conclusion was clear: the existing codebase was not salvageable without a complete rebuild. The security issues alone would require dismantling and replacing core components. Starting fresh was the only responsible path forward.

  • Full written technical audit with every finding documented
  • Severity levels and business-impact analysis
  • Codebase, database, API, and infrastructure review
  • Security vulnerability report
  • Independent completion estimate
  • Clear recommendation for the client and legal team
  • Evidence supporting contract termination

[ Outcome ]

The client walked away. With leverage.

Armed with our technical audit report, the client had documented, independent proof that the contracted deliverable had not been met — and that what had been built posed active risks to their business and their customers' data. The contract was terminated. The final 30% payment — due upon product acceptance — was never made.

The client avoided an outcome that would have been far worse: launching a broken, insecure CRM with real customer data, and discovering the vulnerabilities only after a breach.

Two days of independent review gave the client everything they needed to make a clear, informed decision — and act on it.

Built with

Next.js
React
TypeScript
Figma
Prisma
PostgreSQL
Vercel
AI / LLM

READY TO SHIP?

Concerned about a project in
progress?

Tell us about your project. We'll come back within 24 hours with a plan, a timeline, and a price.