Implemented application controls
The portal uses authenticated access, role-aware case authorization, consent-gated uploads and processing, encrypted object storage, short-lived upload/download tokens, report release review, audit logging, security headers, request origin checks, app-layer rate limits, and Supabase-backed MFA step-up checks when MFA enforcement is enabled.
Controls being hardened
Broader genome intake depends on private production storage, WAF/rate limiting, separated cloud environments, key management, alerting, backup restore evidence, hardware-key admin MFA in the live identity provider, and a documented break-glass process.
Independent assurance
Certification and audit claims wait until evidence exists. The practical next step is Cyber Essentials readiness followed by Cyber Essentials certification and a lightweight external security review.