Security at Zeph
Built security-first for HIPAA, CJIS, and forensic data. Every layer — from authentication to audit logging — is designed for regulated environments and legal defensibility.
We believe in transparency. This page reflects our honest, current security posture — including what we haven't yet completed. All claims link to source documentation.
CSA STAR
Level 1 — Self-Assessment
Cloud Security Alliance
View listing
CMMI-DEV
Level 3 — Defined
97/100 · Theoris V3.0 Worksheet
Process maturity verified
Compliance Framework Alignment
Percentages reflect application-layer controls only. Physical security, workforce training, and organizational policies are the deploying organization's responsibility. Full mapping documents are available in our documentation.
45 CFR Part 164
HIPAA Security Rule
app-layer controls
24 of 25 applicable technical and administrative controls implemented. Field-level PHI encryption, audit logging, RBAC, MFA, and session management fully addressed.
v5.9.2 (FBI)
CJIS Security Policy
app-layer controls
Advanced authentication (MFA), AES-256 encryption at rest and in transit, immutable audit trail, RBAC with least privilege, and media protection via ClamAV.
Annex A Controls
ISO 27001:2022
of 66 applicable controls
58 of 66 applicable controls substantially or fully addressed. Gaps in supplier management, data classification labels, and independent third-party review — documented transparently in our ISO mapping.
February 2024
NIST CSF 2.0
of scoped controls addressed
76 of 82 scoped application-layer controls fully or partially addressed. 57% fully implemented. No gaps remain in DETECT, RESPOND, or RECOVER. Formal IS policy, risk register, and incident catalog in place.
Self-Assessment · V3.0
CMMI-DEV Level 3
out of 100 (Level 3 band: 76–99)
All seven Level 2 practice areas satisfied, scoring 97/100 on the Theoris CMMI V3.0 Development self-assessment. Score places Zeph CMS in the Level 3 — Defined tier: proactive processes, organization-wide standards, continuous improvement across 150+ versioned releases.
HL7 FHIR MDI Implementation Guide
Interoperability StandardZeph produces FHIR R4 Bundles conforming to the HL7 Medicolegal Death Investigation IG — the emerging federal standard for ME/coroner data exchange. 6 StructureDefinition profiles implemented, covering Patient, Practitioner, Observations (cause of death, manner of death, toxicology), Composition (LOINC 86807-5), and Bundle. State EDRS adapters for California, New York, and West Virginia ship in-box.
View full FHIR MDI conformance statementNIST Cybersecurity Framework 2.0
NIST CSF 2.0 (February 2024) introduced GOVERN as a sixth function alongside Identify, Protect, Detect, Respond, and Recover. Our alignment is honest: the PROTECT function is strong; DETECT and GOVERN are our primary improvement targets.
Govern
Risk strategy, policy, supply-chain risk
Formal IS policy (ISMS-POL-001), risk register with L/I scoring, documented risk appetite, and annual review cadence fully address the core GOVERN controls. Supply chain governance (vendor assessments) is the remaining gap.
Identify
Assets, risk assessment, improvement
Complete software asset inventory (SBOM + CODEBASE_INVENTORY.md), PHI data mapping, formal risk register with L/I scoring, and multi-layer vulnerability scanning (CodeQL, ZAP, npm audit). Only gap: threat intelligence feed.
Protect
Identity management, data security, protective technology
AES-256-GCM PHI encryption, RBAC + MFA, rate limiting, ClamAV scanning, SHA-256 audit chain, formal IS policy (PR.PS-01), and documented recovery plans all fully implemented. Gaps: user security training delivery.
Detect
Anomalies, security monitoring, detection processes
Zero gaps. Security posture dashboard automates adverse event analysis. Audit NDJSON export enables SIEM aggregation. Full personnel activity monitoring via audit trail. Improvement targets: formal baseline documentation, automated escalation.
Respond
Response planning, analysis, mitigation
Zero gaps. Session revocation, user suspension, legal hold provide instant containment. SHA-256 audit chain enables forensic analysis. Incident catalog documents 7 patterns. Improvement targets: automated escalation, on-call rotation.
Recover
Recovery planning, improvements, communications
Zero gaps. DR plan with weekly CI-automated restore testing. Vulnerability remediation CI-gated. Recovery integrity verified automatically. Improvement targets: communication automation, completed tabletop exercises.
About this assessment
This is a self-assessment against NIST CSF 2.0 covering application-layer controls only. 93% of scoped controls are substantially or fully addressed. 57% are fully implemented. DETECT, RESPOND, and RECOVER have zero remaining gaps. GOVERN and IDENTIFY are strong following formal IS policy and risk register publication. Supply chain governance and a threat intelligence feed are the primary remaining gaps. An independent third-party security assessment has not been completed as of this version.
What We've Built
Every control below is implemented in the codebase and CI-tested — not a checkbox exercise. Source file citations are in our internal security documentation.
Authentication & Identity
- scrypt password hashing (64-byte key, timing-safe comparison)
- TOTP multi-factor authentication — off / optional / required per policy
- Refresh token rotation with reuse detection and family revocation
- Account lockout after configurable failed-attempt threshold
- Password history enforcement (last 5 passwords)
- 12-character minimum, mixed-case, digit, and special-char requirements
- JWT 8-hour lifetime; automatic 401 → redirect on expiry
- OIDC/SAML SSO — architecture complete; full implementation available as a paid add-on (v1.1+)
Access Control & Authorization
- 7-role RBAC: ADMIN, MEDICAL_EXAMINER, INVESTIGATOR, FORENSIC_TECHNICIAN, OFFICE_STAFF, CERTIFIER, COMPLIANCE_OFFICER
- 10+ granular permissions enforced on every API route
- Per-module entitlement gating — disabled modules return 403, not 404
- Office-scoped data isolation — users only see their assigned office's data
- Bootstrap endpoint single-use guard (no users → only path to admin)
- IP allowlist with CIDR range support and 60-second cache
- ADMIN-only session management: view and terminate any active session
Data Protection & Encryption
- AES-256-GCM field-level PHI encryption — SSN, DOB, address encrypted at rest
- Encryption key rotation endpoint re-encrypts all PHI in place
- TLS 1.2+ (TLS 1.3 preferred) for all connections; WSS for WebSockets
- HSTS, X-Frame-Options, CSP, X-Content-Type-Options security headers
- UUID-keyed S3 storage prevents path traversal; original filename stored separately
- SSE-KMS encryption on all S3 PutObject operations
- Backup encryption matching production storage configuration
Audit Trail & Integrity
- SHA-256 hash-chained audit log — every record links cryptographically to the prior one
- Before/after payload recording for all mutations
- Actor, IP address, timestamp, and resource ID on every event
- No DELETE endpoint on audit records — append-only by design
- SIEM-compatible NDJSON export (Splunk, ELK, Datadog)
- Audit chain integrity verification endpoint for compliance checks
- Legal hold prevents case deletion; hold audit-logged with timestamps
File & Upload Security
- ClamAV virus scanning on every upload — infected files rejected before S3 write
- Magic-byte MIME sniffing — content-type spoofing rejected
- PDF structure validation — embedded JavaScript rejected
- Image dimension limits (max 65,535 × 65,535 px, 400 MP total)
- Per-document-type size limits across 14 file categories (max 2 GB)
- SSRF protection on webhook URLs — blocks RFC 1918, loopback, metadata IPs
- Zod schema validation on every POST/PUT/PATCH endpoint body
Operational Security
- Rate limiting on all 13 auth POST endpoints (10 req/min auth, 30/15 min refresh)
- Global rate limiting at 1,000 req/min per IP
- CORS restrictive — only FRONTEND_URL origin allowed in production
- Default admin password change enforced on first login (mustChangePassword)
- Health endpoints: /health/live, /health/ready, /health/deep
- Prometheus /metrics for request counts, latencies, and error rates
- Structured Pino logging with request correlation IDs
Automated Security CI
Security is not a manual gate — it's enforced in CI on every PR, every push, and on a weekly schedule.
CodeQL Static Analysis
ActiveRuns on every PR and push. Zero critical findings.
OWASP ZAP Scan
WeeklyWeekly passive + active scan against OpenAPI spec. SARIF uploaded to GitHub Security.
Dependency Audit
Per PRnpm audit --audit-level=high on every PR. Fails on HIGH or CRITICAL CVEs in prod deps.
Secret Scanning
Per PRTruffleHog on every PR/push + pattern checks for committed .env files and hardcoded keys.
Restore Test
WeeklyWeekly CI workflow: seed → backup → wipe → restore → verify every row. Real PostgreSQL.
GPG-Signed Releases
Per releaseSHA256SUMS.txt + SHA256SUMS.asc (detached, ASCII-armored) on every tagged release.
OWASP Top 10 (2021) Self-Assessment
OWASP (Open Web Application Security Project) Top 10 is a free, publicly maintained standard representing the most critical web application security risks. This is a self-assessment mapping each category to specific implemented controls. Zeph also runs automated OWASP ZAP scans weekly.
Broken Access Control
Mitigated- 7-role RBAC enforced on every API route (ADMIN, MEDICAL_EXAMINER, INVESTIGATOR, FORENSIC_TECHNICIAN, OFFICE_STAFF, CERTIFIER, COMPLIANCE_OFFICER)
- Office-scoped data isolation — users cannot access data from other offices
- IP allowlist with CIDR support and 60-second cache
- ADMIN-only session management: view and terminate any active session
- Per-module entitlement gating — disabled modules return 403, not 404
- Bootstrap guard: admin creation only available before any users exist
Cryptographic Failures
Mitigated- AES-256-GCM field-level encryption for all PHI (SSN, DOB, address) at rest
- scrypt password hashing (64-byte key, timing-safe comparison) — no MD5/SHA-1
- TLS 1.2+ enforced for all connections; TLS 1.3 preferred; WSS for WebSockets
- SSE-KMS encryption on all S3 PutObject operations
- HSTS header enforced to prevent protocol downgrade attacks
- Encryption key rotation endpoint re-encrypts all PHI in place
Injection
Mitigated- Prisma ORM used throughout — all queries are parameterized, no raw SQL string concatenation
- Zod schema validation on every POST/PUT/PATCH request body before any DB touch
- PDF structure validation — embedded JavaScript rejected on upload
- Magic-byte MIME sniffing — content-type spoofing blocked
- OWASP ZAP active scan runs weekly against the OpenAPI spec
Insecure Design
Mitigated- Threat model documented in security architecture; risk register maintained
- SHA-256 hash-chained audit log — append-only, no DELETE endpoint on audit records
- Legal hold prevents case deletion; hold is itself audit-logged
- Field-level PHI encryption applies principle of defense-in-depth
- Checklist closure gate — cases cannot be closed with missing required fields
- Document purge blocked (423) when legal hold is active
Security Misconfiguration
Mitigated- CSP, HSTS, X-Frame-Options, X-Content-Type-Options headers on every response
- CORS restrictive — only FRONTEND_URL origin allowed in production
- Default admin password change enforced on first login (mustChangePassword flag)
- ClamAV virus scanning rejects infected files before storage write
- Global rate limiting at 1,000 req/min per IP; per-route limits on auth endpoints
- Health endpoints expose no sensitive configuration data
Vulnerable and Outdated Components
Mitigated- npm audit --audit-level=high runs on every PR; HIGH/CRITICAL CVEs block merge
- CycloneDX SBOM published with every release — full dependency inventory
- TruffleHog secret scanning on every PR and push
- SHA-256 release artifact verification and GPG-signed checksums
- Dependency pinning in package-lock.json; no float ranges in production deps
Identification and Authentication Failures
Mitigated- scrypt password hashing — resistant to brute force and GPU attacks
- TOTP multi-factor authentication — off / optional / required per org policy
- SMS MFA via Twilio as an alternative second factor
- Refresh token rotation with reuse detection and full family revocation on compromise
- Account lockout after configurable failed-attempt threshold
- Password history enforcement (last 5 passwords); 12-char minimum with complexity rules
- JWT 8-hour lifetime; automatic 401 redirect on expiry
Software and Data Integrity Failures
Mitigated- SHA-256 hash-chained audit log — each record cryptographically links to the prior one
- Audit chain integrity verification endpoint for compliance checks
- SHA-256 verified release artifacts — SHA256SUMS.txt covers every download
- GPG-signed SHA256SUMS.asc — verify releases were built by Zeph Tech
- CycloneDX SBOM with every release — detect tampered dependencies
- Before/after payload recording for all mutations — detect unauthorized changes
Security Logging and Monitoring Failures
Mitigated- SHA-256 chained audit log records actor, IP, timestamp, resource ID, before/after payload
- NDJSON audit export — Splunk, ELK, Datadog ingestion ready
- Prometheus /metrics endpoint for request counts, latencies, and error rates
- Structured Pino logging with request correlation IDs
- Failed authentication attempts logged with IP address
- Security posture dashboard automates adverse event review
Server-Side Request Forgery (SSRF)
Mitigated- SSRF protection on all webhook URL inputs — RFC 1918 private ranges blocked
- Loopback addresses (127.0.0.1, ::1) blocked on outbound requests
- Cloud metadata IP ranges (169.254.169.254) blocked
- UUID-keyed S3 storage prevents path traversal — original filename stored separately
Automated validation: OWASP ZAP passive and active scans run weekly against Zeph's OpenAPI specification. SARIF results are uploaded to GitHub Security and reviewed before each release. Zero unresolved HIGH or CRITICAL findings.
CJIS Security Policy — Policy Area Breakdown
The FBI CJIS Security Policy (v5.9.2) defines 13 policy areas for systems that access or exchange criminal justice information. Many ME/coroner offices share data with law enforcement, making CJIS alignment a common procurement requirement. This is a self-assessment of Zeph's application-layer controls against each policy area.
PA 3 — Incident Response
AddressedIn-app incident catalog, session revocation (instant containment), user suspension workflow, SHA-256 audit chain for forensic reconstruction, documented runbook.
PA 4 — Auditing and Accountability
AddressedSHA-256 hash-chained audit log with actor, IP, timestamp, resource ID, and before/after payload on every event. Append-only — no DELETE on audit records. SIEM-compatible NDJSON export. Chain integrity verification endpoint.
PA 5 — Access Control
Addressed7-role RBAC enforced on every API route. 10+ granular permissions. Office-scoped data isolation. IP allowlist with CIDR support. Least-privilege by default — disabled modules return 403.
PA 6 — Identification and Authentication
Addressedscrypt password hashing (64-byte key). TOTP + SMS MFA (off / optional / required per policy). Account lockout after configurable attempts. Password history (last 5). 12-char minimum with complexity rules. Refresh token reuse detection.
PA 7 — Configuration Management
AddressedCI/CD pipeline enforces security gates on every PR. CycloneDX SBOM with every release. GPG-signed SHA-256 checksums. Versioned releases with full changelog. Default admin password change enforced on first login.
PA 8 — Media Protection
AddressedClamAV virus scanning on every upload before storage write. SSE-KMS encryption on all S3 PutObject operations. UUID-keyed storage prevents path traversal. Magic-byte MIME sniffing blocks spoofed content types.
PA 10 — Systems and Communications Protection
AddressedTLS 1.2+/1.3 for all connections; WSS for WebSockets. AES-256-GCM PHI encryption at rest. HSTS, CSP, X-Frame-Options, X-Content-Type-Options headers. CORS restricted to configured origin. SSRF protection on all outbound URLs.
PA 13 — Mobile Device Management
Org ResponsibilityZeph is a browser-based application. Mobile access is controlled via IP allowlist and MFA policy. MDM enrollment and device-level controls are the deploying organization's responsibility.
PA 2 — Security Awareness Training
Org ResponsibilityZeph ships with a built-in knowledge base (16+ articles) and contextual help panels. Formal security awareness training delivery and recordkeeping are the deploying organization's responsibility.
PA 1 — Information Exchange Agreements
Org ResponsibilityTechnical controls for data sharing (RBAC, audit log, encryption) are implemented. Formal Information Exchange Agreements between agencies are a legal/organizational responsibility.
PA 9 — Physical Protection
Org ResponsibilityZeph runs on infrastructure you control. Physical protection of servers, workstations, and network equipment is the deploying organization's responsibility.
PA 12 — Personnel Security
Org ResponsibilityBackground checks, separation of duties agreements, and personnel screening are the deploying organization's responsibility. Zeph's RBAC enforces access minimization by role.
Note: CJIS compliance requires a signed CJIS Security Addendum between the deploying agency and their state CJIS Systems Agency (CSA). Zeph provides the application-layer technical controls; the organizational and physical controls are the deploying agency's responsibility. A full CJIS compliance matrix is available upon request.
What We Haven't Completed Yet
Transparency matters more than marketing. Here's what's honestly still in progress, with our plan. 93% of NIST CSF 2.0 controls are addressed — the remaining 7% are listed here.
Independent third-party penetration test
Planned for pre-GA release (v1.0 RC). Internal controls validated; external adversarial testing not yet done.
High priorityOn-call rotation and incident response tabletop exercise
Planned for operational readiness phase (ROADMAP §0.12.7). Incident catalog and runbook are in place.
High priorityFormal threat intelligence feed
GitHub Security Advisories cover direct dependencies. No commercial threat intel feed yet. (NIST ID.RA-02)
Medium prioritySIEM active integration
NDJSON export ready for Splunk/ELK ingestion. Active connection is deploying-org's setup step. (NIST DE.AE-01)
Medium prioritySupplier security assessment program
npm audit CI-gates dependency risk. Formal vendor assessments and supply chain roles not yet established. (NIST GV.SC-02/03)
Medium priorityField-level data masking for lower-privilege roles
Office-scoped RBAC isolation exists; per-field masking at API response layer is a post-GA roadmap item. (NIST PR.DS-10)
Medium priorityRelease Integrity & Supply Chain
CycloneDX SBOM
Every release includes a Software Bill of Materials in CycloneDX format — a complete inventory of every dependency included in the build.
SHA-256 Verified Artifacts
SHA256SUMS.txt covers every release artifact (Linux tarball, Windows ZIP, SBOM). Verify your download before running install.
GPG-Signed Checksums
SHA256SUMS.asc provides a GPG detached ASCII-armored signature over the checksum file. Cryptographically verify the release was built by Zeph Tech.
Responsible Disclosure
If you discover a security vulnerability in Zeph, please report it privately before public disclosure. We commit to acknowledging your report within 48 hours and providing a remediation timeline within 7 business days.