At OASYS NOW, we believe security isn’t just a technical necessity — it’s a reflection of our values. We’re building AI-powered tools to make personalized health accessible to everyone, and that mission depends on trust.

From the beginning, we’ve embedded privacy-by-design and security-first thinking into every layer of our product. This is the story of how we took our commitment to the next level through third-party penetration testing and cloud security validation — and what it means for our future.

Investing Early in Security

We didn’t wait for compliance demands or customer checklists to tell us security matters. Long before our first enterprise deal, we invested over 18 months building internal capabilities around:

• Regular Automated Scanning

• A robust data protection framework aligned with European values

• Early alignment with GDPR, ISO 27001, NEN 7510, and the emerging EU AI Act

As our platform matured — and we began partnering with hospitals, CROs, and clinical trial sites — we knew it wasn’t enough to say we take security seriously. We had to prove it.

The Proof is in the Pudding: What was Tested (and How)

We worked with Sekurno to assess and test both of our core platforms:

• GRIP – our patient-facing app for health record aggregation, personalized health insights, and clinical trial discovery

• ELaiGIBLE – our clinician-facing platform that enables rapid identification of eligible patient cohorts

The engagement covered our end-to-end architecture, including the full application stack and infrastructure hosted across multiple Cloud Infrastructures.

Sekurno delivered a full white-box, manual-first security review, combining enterprise-grade tools with hands-on analysis to ensure depth, precision, and real-world impact.

Key Activities Performed

• Deep dive into project documentation: application architecture, user-flow analysis, API documentation, and related technical artifacts

• Threat modeling workshops to identify logic-layer threats and prioritize test cases based on actual business risk

• Authentication and session validation — covering OAuth flows, MFA, password resets, account registration, and privilege escalation

• API-level security testing — analyzing access control enforcement, input validation, session management, and error handling

• Cloud posture reviews across infrastructure — evaluating IAM roles, storage configurations, exposed services, and audit logging

• Secure code review — with a focus on authentication middleware, role boundaries, and potential logic bypasses

• SAST, DAST, and SCA tooling — used to automate baseline discovery, with all results manually verified to remove false positives and surface high-context issues

Approach & Methodology

Sekurno followed industry standards, including OWASP WSTG, and NIST 800-115, as well as relevant controls. But more importantly, they personalized every step of the process to our architecture and risk model.

The application was tested against 130+ OWASP WSTG requirements, covering all major security categories:

1. WSTG-INFO – Information Gathering

2. WSTG-CONF – Configuration and Deployment Management Testing

3. WSTG-IDNT – Identity Management Testing

4. WSTG-AUTH – Authentication Testing

5. WSTG-SESS – Session Management Testing

6. WSTG-ACCE – Authorization Testing

7. WSTG-INPV – Input Validation Testing

8. WSTG-CRYP – Testing for Weak Cryptography

9. WSTG-BUSL – Business Logic Testing

10. WSTG-CLNT – Client-Side Testing

11. WSTG-API – API Testing

12. WSTG-MISC – Miscellaneous Testing

Their threat modeling process guided their technical team in identifying risks in our applications in a structured and context-aware way. It provided us with clear visibility into the specific threats being assessed, aligning the testing with our real-world architecture and risk profile.

This approach not only ensured the thoroughness of the assessment but also reinforced the personalization and relevance of each test case — enabling fast remediation and strategic insight for both engineering and leadership.

Walking the Talk: Results

The results validated the discipline we’ve built internally:

• No critical or high-severity vulnerabilities were found

• Our API-level authentication and authorization controls were robust across every tested path

• Sensitive features — like file uploads, account workflows, and session handling — operated securely and predictably

• Cloud environments showed minimal misconfigurations and strong identity boundaries

• All medium and low-risk findings were addressed within days, with some resolved before the final report

This wasn’t just a technical milestone — it is a strategic asset.

The third-party verification letter from Sekurno is now a key tool we utilize in enterprise sales, due diligence, and compliance discussions — particularly with major hospitals that require formal reviews of data handling and security posture.

“From the very first interaction with OASYS Now’s system, it was clear that security is a foundational priority for their team. Their middleware architecture reflects this commitment — every single API endpoint we assessed enforced strict authentication and authorization controls. It’s rare to see such a well-implemented access model across the board. We were especially impressed by the consistency and thoughtfulness in their security design.”

— Alex Rozhniatovskyi, Technical Director of Sekurno

Valuing our Partners’ Trust

Security is not a checkbox — it’s a commitment. We don’t see compliance as a constraint. We see it as an opportunity to:

• Demonstrate the quality of our engineering

• Proactively align with evolving regulatory landscapes

• Build trust with institutional buyers who rely on our infrastructure

• Earn public trust

This investment isn’t a one-off. It’s part of a long-term strategy to:

• Stay ahead of emerging threats

• Improve security education across our team

• Collaborate transparently with partners, clients, and stakeholders

• Serve patients in a secure way

Choosing Sekurno: Story Behind

When we started our search for a penetration testing partner, we weren’t looking for a checkbox exercise. We needed a team that:

• Understood the technical nuance of AI-powered healthcare

• Could work across both application and cloud environments

• Spoke the language of privacy-first, compliance-aligned design

• Brought deep experience in HealthTech and BioTech ecosystems

Sekurno met every one of these criteria — and more. Their passion for security and their focus on the HealthTech industry were evident from day one and were key factors in our decision to work with them. They delivered not just on execution, but on mindset as well.

Their blend of technical credibility, structured testing, regulatory fluency, and human collaboration made them the right partner for this phase of our journey.

What Comes Next: We Don’t Stop Here.

We’ll continue raising the bar:

• Future pentests scoped around threat modeling and system changes

• Continuous alignment with GDPR, ISO 27001, NEN 7510, and the EU AI Act

• Real-time monitoring and ongoing internal education to keep our security culture evolving

Want to Learn More?

If you’re a hospital, research organization, or partner who needs secure data collaboration, we’d love to share more.

We believe in showing our work, leading with transparency, and setting a new bar for privacy-first health tech.