Security posture
Last updated 15 May 2026Janet Cares is built for healthcare-grade environments. We publish our security posture against the Australian Signals Directorate (ASD) Essential Eight framework. Current overall maturity: ML2.
Essential Eight controls
| Control | Maturity | Notes |
|---|---|---|
| Application allowlisting | ML2 | Vercel serverless platform — only our deployed code runs; no arbitrary execution surface. |
| Patch applications | ML2 | Weekly pnpm audit; Dependabot enabled; Next.js and Supabase on supported versions. |
| Configure Microsoft Office macros | N/A | No Office suite in our stack. |
| User application hardening | ML2 | Content Security Policy on all routes; no browser plugins required. |
| Restrict admin privileges | ML2 | Admin flag + role assignment table; service-role key confined to 4 server-only routes. |
| Patch operating systems | ML2 | Serverless (Vercel) + managed DB (Supabase) — OS patching is provider responsibility. |
| Multi-factor authentication | ML1 | MFA available via Supabase Auth; not yet enforced for all admin accounts. |
| Regular backups | ML2 | Supabase automated daily backups; point-in-time recovery on Pro tier. |
Gap remediation roadmap
- Admin MFA enforcement — highest priority; in progress.
- CSP report-only mode with a collector — medium priority.
- Formal CVE remediation SLA documented — medium priority.
- Full restoration drill — scheduled 2026-07-31.
This assessment was last updated 2026-05-15. We update it after each quarterly security review.