Implemented application controls
The portal uses authenticated access, role-aware case authorization, consent-gated uploads and processing, encrypted object storage, short-lived upload/download tokens, report release review, audit logging, security headers, request origin checks, app-layer rate limits, email-code step-up for report downloads, and Supabase-backed authenticator MFA for privileged actions when MFA enforcement is enabled.
Account security
Customers should keep their email account protected, avoid forwarding portal links, and contact security@spokedna.com if a login link, account, or report access route looks suspicious. We will add stronger self-service account security controls as the portal grows.
Controls being hardened
Broader genome intake depends on private production storage, WAF/rate limiting, separated cloud environments, key management, alerting, backup restore evidence, hardware-key admin MFA in the live identity provider, and a documented break-glass process.
Independent assurance
Certification and audit claims wait until evidence exists. The practical next step is Cyber Essentials readiness followed by Cyber Essentials certification and a lightweight external security review.