Last updated April 19, 2026. See SOC 2 & ISO 27001 readiness for the detailed breakdown of every control.
Recent progress
Since the April 2026 initial audit, the following findings moved to remediated or code-closed:| Finding | Status | Evidence |
|---|---|---|
| B — PHI column encryption | Code closed; staging backfill scheduled | PR #78 — backfill tasks for OverturnableDenial + ProviderPatientLink |
| G — JWT dual-secret rotation | Closed | PR #76 — jwt.rotation_secret wired; specs prove dual-secret verification |
| H — Org policies gated off | Closed for staging | PR #77 + manual apply; iam.disableServiceAccountKeyCreation + iam.disableServiceAccountKeyUpload both enforce: true on staging |
| E — Formal security policies missing | Drafted and published | 10 new policy pages in this Trust Center + ISP/AUP/risk register v1.0 |
Overall maturity
47 / 100 — Level 2: Repeatable Technical Controls
Denialbase has built a technically strong security foundation — field-level encryption, CMEK key management, VPC-isolated infrastructure, HIPAA audit logging, multi-factor authentication, and an automated CI/CD security pipeline.However, this evidence is almost entirely technical and code-level. ISO 27001 certification requires a documented, operational ISMS with risk registers, policies, governance records, supplier agreements (BAAs), internal audits, and management reviews — none of which are evidenced today.With focused governance and documentation effort, our estimated gap to audit-readiness is 6–9 months.
By category
| Category | Score | Status |
|---|---|---|
| Technical security | 78 / 100 | Encryption, auth, network, CI/CD security, secrets — all well implemented. |
| Operations & monitoring | 71 / 100 | Structured logging, HIPAA audit logs, PHI scrubbing, Sentry, DR and backup plans documented. |
| Supplier security | 22 / 100 | BAA tracker exists but no BAAs signed with GCP, Anthropic, Sentry, SES yet. |
| HR / incident response | 18 / 100 | No incident response runbook, no HR security policy, no onboarding/offboarding records evidenced. |
| Governance & policies | 12 / 100 | No ISMS policy, no risk register, no Statement of Applicability, no management review records. |
| Risk management | 10 / 100 | No formal risk assessment, risk treatment plan, or risk acceptance records. |
Findings at a glance
| Severity | Count | Disposition |
|---|---|---|
| Critical | 4 | Must resolve before audit window opens |
| High | 9 | Must resolve before Type I opinion |
| Medium | 11 | Address within 90 days of audit start |
| Low | 6 | Best practice; address in roadmap |
Primary strengths
CMEK everywhere
Customer-managed encryption keys on Cloud SQL, GCS, Redis, and Terraform state — with 90-day automatic rotation.
Pundit + HIPAA audit
48 policy files with globally enforced object-level authorization. Every PHI action is audit-logged with 7-year retention.
WIF + Cloud Armor
Workload Identity Federation means zero long-lived CI/CD keys. Cloud Armor enforces OWASP CRS v3.3 at the edge.
Hardened auth
MFA, passkeys, account lockout, 12-char password policy, rate limiting on every sensitive endpoint.
Open gaps
No BAAs signed
GCP, Anthropic, Sentry, SES. Targeted for Q3 2026.
No Incident Response Plan exercised
Formal IRP documented; tabletop exercise targeted for Q2 2026.
No DR test evidence
Runbook documented; first drill targeted for Q2 2026.
No penetration testing
First third-party pentest targeted for Q3 2026.
Org policies — prod pending
Live in staging since April 19, 2026. Prod promotion targeted after 1–2 week staging soak.
Remediated since the initial audit
PHI column encryption
Code closed — backfill tasks for
OverturnableDenial + ProviderPatientLink shipped in PR #78. Staging backfill scheduled.JWT rotation mechanism
Closed —
jwt.rotation_secret wired in PR #76; dual-secret verification covered by specs.Formal security policies
Published — ISP, AUP, risk register v1.0 + 9 supporting policies. Pending CEO sign-off.
Statement of Applicability
Published — 93 of 97 ISO 27001:2022 Annex A controls mapped with per-control status and evidence.