Self-assessment — not a certified audit
This is a structured self-assessment performed by the Zenlo team against recognized public security standards. It is NOT a certified or independent third-party audit. We publish it openly as part of our transparency commitment, and will commission an independent audit before enterprise due diligence.
Why we publish this
Zenlo Labs is a physician-only clinical decision support (CDS) platform that processes laboratory data that may include protected health information (PHI). We trade FDA clearance for radical transparency — we publish validation audits (model cards, NHANES harness) and our security posture. This page is that security self-assessment.
The three standards we assess against
There is no single security standard that covers application code, cloud infrastructure, and regulatory compliance together. We self-assess against three recognized frameworks, each addressing a different layer.
OWASP ASVS 5.0 (May 2025) — application & code layer
The Application Security Verification Standard defines roughly 350 requirements across 17 chapters for secure application design and implementation. No official certification exists; verification is by self-assessment and penetration testing. We target Level 1, and Level 2 where feasible.
Supabase Production + HIPAA Hardening Checklist — infrastructure/data layer
Supabase is SOC 2 Type 2 certified at the platform level. The customer is responsible for Row Level Security (RLS), SSL enforcement, Point-in-Time Recovery (PITR), network restrictions, MFA, service-role key handling, Security Advisor review, and — for PHI — a Supabase Business Associate Agreement (BAA), which requires a Team Plan.
HIPAA Security Rule (45 CFR Part 164) — compliance layer
Administrative, Physical, and Technical safeguards for electronic protected health information (ePHI). A 2025 OCR Notice of Proposed Rulemaking (NPRM) proposes stronger requirements; the current rule remains in effect. We assess against the current rule and note the proposed delta where relevant.
Compliance instruments
Factual status of agreements and controls — gaps are documented openly, not hidden.
| Instrument | Status | Notes |
|---|---|---|
| Anthropic BAA | Signed | Fully signed under Zenlo LLC, May 6 2026; Zero Data Retention active. |
| Zero Data Retention (ZDR) | Active | Anthropic API configured so PHI is not retained in model-provider logs or used for training. |
| Supabase BAA | Not yet in place | Requires Supabase Team Plan; deferred until enterprise due diligence — documented as an open gap. |
| Vercel BAA | To confirm | Status under review. |
| HIPAA posture | HIPAA-aligned design (not "HIPAA compliant") | Documents which Security Rule safeguards are implemented vs pending. |
Assessment areas & schedule
The assessment is performed in five areas. Each is dated when performed and its findings published here. The first cycle (areas 1–4) was self-assessed on 2026-05-22; remediation and re-test (area 5) is the next phase.
| Area | Standard | Date performed | Status | Findings summary |
|---|---|---|---|---|
| Database posture (RLS, policies, functions) | Supabase + ASVS Access Control | 2026-05-22 | Performed | RLS enabled on all 15 tables; PHI isolated per-doctor; no permissive policies on PHI tables; 1 SECURITY DEFINER function with locked search_path. Findings: dead duplicate RLS policies (auth.uid()=doctor_id always-false; isolation works via current_doctor_id() policies) — Medium; redundant grants on 5 deny-all tables — Low; mutable search_path on 2 functions — Low. |
| Application code review | OWASP ASVS 5.0 | 2026-05-22 | Performed | 0 Critical, 5 High, 6 Medium. No hardcoded secrets, no auth backdoor, input validation solid, service-role server-only. Findings: Next.js 14.2.35 CVEs — High; incomplete middleware auth envelope (per-route checks cover it) — High; action-plan routes rely on RLS only — Medium; engineering errors/stack surfaced to client/DB — Medium; no CSP/X-Frame headers (HSTS present) — Medium; npm audit debt (2 critical from unused deps) — Medium. |
| Platform settings (MFA, SSL, PITR, network) | Supabase + Vercel hardening | 2026-05-22 | Performed | Postgres 17.6, SSL on, extensions clean, deployment protection on, HSTS present, /api/seed inert (secret unset), no secrets in client bundle (verified). Findings: MFA off on Supabase — High; SSL enforcement toggle off — Medium; no network restrictions — Medium; no PITR (daily only) — Medium; public bucket allows file listing — Medium; leaked-password protection off — Low. Plan=Pro (Supabase BAA needs Team). |
| Compliance mapping | HIPAA Security Rule | 2026-05-22 | Performed | Mapped to Administrative/Physical/Technical safeguards. Physical = provider-inherited (Vercel/Supabase/AWS SOC 2). Access Control + Integrity Met. Audit Controls Partial (app-level yes, pgaudit off). Authentication Partial (MFA off). Transmission Partial (HTTPS+HSTS yes, SSL-enforce off). BAA: Anthropic signed + ZDR active; Supabase BAA not in place (gap). Posture: HIPAA-aligned, NOT HIPAA-compliant. |
| Remediation & re-test | All | — | Pending | Scheduled — 19 prioritized remediation items identified; fixes and re-test to follow. |
Findings Summary (2026-05-22)
The first self-assessment cycle was performed on 2026-05-22 across four areas. No Critical findings were identified. The posture is early-stage and HIPAA-aligned, not yet HIPAA-compliant; appropriate for a pre-revenue stage operating on synthetic demonstration data (no real patient PHI in the system yet).
- No Critical findings. PHI isolation works, no secrets in client bundle, no unauthenticated PHI access, seed endpoint inert.
- High: Enable MFA (Supabase); plan Next.js upgrade off 14.2.35 CVEs; formalize middleware auth coverage; Supabase BAA + Team plan before first real PHI.
- Medium: SSL enforcement; network restrictions; Point-in-Time Recovery; tighten public bucket listing; app-level ownership checks on action-plan routes; sanitize errors at API/DB; add security headers (CSP, X-Frame-Options, etc.); set function search_path; remove dead RLS policies; enable/document audit controls.
- Low: leaked-password protection; remove dead dev-auth shim; remove unused dependencies; revoke redundant table grants; document incident response.
These items are tracked for remediation. This page will be updated with re-test results and dates as fixes land.
What this report does NOT claim
- This is not a certified security audit.
- This is not a declaration of HIPAA compliance or regulatory compliance.
- This is not a third-party or independent audit — it is self-assessed by the Zenlo team.
- This does not guarantee PHI safety; it documents controls implemented and gaps identified.
- Supabase BAA is not yet in place — an open gap documented above until enterprise due diligence.
- Clinical validation and efficacy claims (F1, NHANES prevalence) live in the validation audit pages; this page covers security posture only.