About the Client
OASYS NOW, founded in 2021 and headquartered in Delft, Netherlands, is a health-tech startup on a mission to make personalized healthcare accessible to everyone. The company accelerates clinical trial recruitment by leveraging AI and privacy-first technologies to match patients with relevant trials more efficiently. Its platform reflects a patient-first, privacy-by-design, and AI-native philosophy, rooted in strong European values and deep cybersecurity awareness.
The platform comprises two key products:
GRIP – a patient-facing application that allows individuals to aggregate their health records, gain personalized health insights, and discover matched clinical trials.
ELaiGIBLE – a tool for researchers and healthcare professionals that identifies eligible patient cohorts in minutes, drastically reducing recruitment timelines.
Secure Foundations Confirmed — and Clearer Compliance Path
Results:
The assessment uncovered no critical or high-severity vulnerabilities — a rare but welcome outcome. More importantly, the results validated that OASYS NOW’s engineering team had embedded privacy-by-design and security best practices into the foundation of both products.
Key observations:
Authentication and authorization logic was robust
Multi-factor authentication protected sensitive functions
File uploads, session management, and account workflows operated securely
API endpoints followed secure input validation and error-handling patterns
Cloud assets were appropriately hardened with minimal exposure or misconfiguration
All medium and low-severity issues were remediated quickly, in some cases even before final reporting was complete, thanks to Sekurno’s responsive engagement and strong developer alignment.
These results weren’t just technical milestones. The third-party attestation letter became a key asset in enterprise sales and compliance discussions, allowing OASYS NOW to provide proof of diligence and technical maturity when engaging with major healthcare partners — including large hospital systems requiring formal risk review and education around modern privacy safeguards.
The Challenge
Preparing for Enterprise Clients and Regulatory Pressure
Before engaging with Sekurno, OASYS NOW had relied solely on automated security scanning tools. But as the company matured — and began serving clinical stakeholders and institutional partners — internal diligence was no longer enough.
Their objectives were clear:
Demonstrate security maturity across both applications and infrastructure
Support compliance readiness for multiple regulatory and certification frameworks
Identify and address security blind spots that automated tools often miss
Build internal confidence and ensure responsible scaling
The company faced increasing pressure to meet stringent European and healthcare-specific security standards, including:
GDPR – for data privacy and handling of patient records
ISO 27001 – for formalized information security management
NEN 7510 – the Dutch standard for healthcare information security
EU AI Act – for ethical, transparent, and secure deployment of AI models
OASYS NOW wasn’t just responding to compliance pressure — they were proactively investing in security and privacy-by-design long before it was required. Over 18 months had been spent implementing automated monitoring and robust controls. The penetration test was initiated not to find problems, but to verify through independent validation that their safeguards worked as intended.
Our Solution
A Full-Stack Security Review Aligned to Health-Tech Demands
Sekurno delivered a comprehensive white-box security engagement that included both application and cloud-level assessments. Our scope covered the GRIP and ELaiGIBLE applications across two cloud providers: Microsoft Azure and Google Cloud Platform (GCP).
Scope of Work
Manual penetration testing with:
- DAST (Dynamic Application Security Testing)
- SAST (Static Application Security Testing)
- SCA (Software Composition Analysis)
- Manual code review targeting key logic areas
Cloud security assessments of Azure and GCP environments, focusing on misconfigurations, IAM posture, and storage/network exposure
Methodology Highlights
End-to-end validation of authentication flows (OAuth, registration, MFA, password reset)
Testing of API request handling, data access, file upload security, and privilege escalation logic
Infrastructure hardening reviews covering cloud asset exposure, role definitions, secret management, and audit logging practices
Threat modeling used to tailor the assessment to OASYS NOW’s architecture — decomposing application logic, mapping data flows, and identifying potential risks aligned with business impact
Tailored remediation recommendations delivered via interactive developer Q&A sessions
Sekurno recommended and implemented a full white-box testing approach, moving beyond gray-box limitations to ensure deep coverage. Detailed checklists and annexes mapped every finding to relevant security standards. Notably, Sekurno’s manual review uncovered that OASYS NOW’s middleware authentication logic provided full coverage of API endpoints, outperforming common industry implementations that often fail to enforce protection uniformly.
While minor challenges with Azure domain policies and multi-factor access controls made staging setup complex, both teams collaborated closely to create a secure, high-fidelity testing environment.
Key Outcomes
We felt that Sekurno really checked every bit and piece of our system. This was evident in the deliverables they provided, with full transparency — including the testing status of each OWASP WSTG requirement and testing logic informed by their own threat modeling. They were also the only team that advocated for a white-box approach — giving their security engineers deeper visibility into our application’s implementation and design, which can ultimately help with uncovering meaningful issues. It made the entire process feel aligned with how we actually build and operate.
Nima S, CEO @ OASYS NOW
Conclusion
From Automated Scans to Enterprise-Ready Security
OASYS NOW entered this engagement to move beyond automation and toward measurable security maturity. Sekurno helped them close that gap — validating their strengths, identifying actionable improvements, and providing proof of diligence to stakeholders across healthcare and AI ecosystems.
Sekurno’s deep understanding of biotech, privacy, and AI regulation, combined with a personalized, responsive approach, made them a trusted partner in OASYS NOW’s security journey.
For health-tech companies operating at the intersection of AI, data privacy, and clinical workflows, this kind of rigorous, multi-layered security assessment is not just optional — it’s essential.