Purpledecks · Readiness Audit

Readiness Audit

Sample report

53.7°N -7.8°W · IRELAND · EST. 2012
Subject
Anonymised · digital health company
Stage
Pre-raise · pre-pilot
Scope
Mobile app · backend · cloud · data protection
Access
Deep · code, cloud, interviews
Reviewed by
Senior engineers
Format
Report + readout call
About this sample

This is an anonymised sample of a Purpledecks Readiness Audit. It shows the report format and the kind of findings a real audit contains. It is built from real findings across our engagements. The client, the product, the people and any identifying detail have been removed, and some detail has been generalised or combined for illustration. It is not a live client report, and the numbers here are representative. A real audit is scoped to your product.

The subject is a funded digital health company with a consumer mobile app and a cloud backend, handling special-category health data. A previous development team built the platform and has since handed it over. A funding round and a clinical pilot with a healthcare partner are both close. The company asked us to tell them, honestly, whether the software would survive that scrutiny, and what to fix first.

01 · Executive summary

Where the platform stands.

The product works today at small scale. It is not ready for outside scrutiny. The reasons are not mainly about code quality. They are about control, security and data protection, and they are fixable.

The verdict

Not ready for a raise or a clinical pilot in its current state. Six critical issues must be resolved first. The most serious are that the company cannot yet fully prove it owns and controls its own product, an internal admin tool is open to anyone who can reach it, and the groundwork for handling health data lawfully is missing. None of these is unusual for a product built and handed over by an outside team. All of them can be closed in weeks, not months.

6
Critical
7
High
6
Medium
2
Low
21
Total findings

The three things that matter most

Ownership and control. Key parts of the product sit outside the company's control. Crash and error data flows to an account owned by the previous team. There is no repeatable way to publish an app update, and the signing certificates that would let you are not confirmed to be in your hands. If the previous team were unavailable tomorrow, you could not currently ship a fix to either app store. This is the single biggest risk, and it is invisible in a normal code review.
Security. The internal admin tool, which reaches private user messages and health information, has endpoints that require no login at all. Secrets are hardcoded in the source and in the version history, so they must be treated as compromised. Personal data is being written to logs that are not protected by default.
Data protection. The platform handles special-category health data, which carries specific legal duties. The required groundwork is not in place. There is also evidence of a historical exposure of private files that needs a solicitor's view, because it may be a reportable breach.

What is genuinely solid

Not everything needs fixing. The database is well designed and documented, and can be kept under any future architecture. The app's front end is cleanly built. The real-time chat is the right tool for the job and works well. Authentication is solid and enforced in the right place. The foundations are sound. The problems sit around the edges, in control, security and the backend design, not in the core.

02 · Risk register

All findings, ranked by severity.

Every finding, with its area and the rough effort to fix it. The critical and high findings are written out in full below. Effort is a rough guide: Quick is hours to a day, Moderate a few days, Significant one to two weeks, Structural a larger piece of work.

Severity is carried by the label and the ordering, not colour alone.

ID
Finding
Area
Severity
Effort
OC-01
Error monitoring account owned by the previous team; the company cannot control or guarantee deletion of user error data.
Ownership
Critical
Quick
OC-02
No repeatable build or release pipeline; app store publishing depends on the previous team and unconfirmed signing certificates.
Ownership
Critical
Significant
SE-01
Admin tool has endpoints reachable with no login; anyone who can reach the server can create an admin, read private messages, or trigger jobs.
Security
Critical
Moderate
SE-02
Hardcoded secrets in source and version history, including a signing secret with a weak fallback; must be treated as compromised.
Security
Critical
Moderate
RG-01
Special-category health data processed without the required groundwork: no DPIA, no documented lawful basis, no data processing agreement.
Regulatory
Critical
Significant
RG-02
Evidence of a historical exposure of private files, including user messages, in a publicly reachable location; possible reportable breach.
Regulatory
Critical
Legal review
OC-03
Cloud account access and third-party service ownership not fully inventoried; several service keys of unknown ownership, some hardcoded.
Ownership
High
Moderate
OC-04
Domain, DNS and app store account ownership not demonstrated during the audit; needs verifying before launch.
Ownership
High
Quick
SE-03
Personal data, including user names and message content, written to application logs that are not access-controlled by default.
Security
High
Moderate
SE-04
Large number of known dependency vulnerabilities (92 total, 38 critical), concentrated in the server-side admin tool.
Security
High
Significant
TH-01
Backend uses 40-plus small serverless functions as the primary app API; the wrong tool for the job, causing delays and fragility that worsen with scale.
Technical health
High
Structural
RG-03
No data retention policy and no incident response procedure to meet the 72-hour breach notification duty.
Regulatory
High
Moderate
PC-01
No confirmed, tested backup or disaster recovery for the database or media storage.
Continuity
High
Moderate
OC-05
No documented offboarding of the previous team; access was not revoked or rotated after handover.
Ownership
Medium
Quick
SE-05
No cross-origin policy on the admin API.
Security
Medium
Quick
TH-02
Every screen change makes repeated status and permission calls, amplifying the backend delay problem.
Technical health
Medium
Moderate
TH-03
No separation between development and production; changes are effectively tested in production.
Technical health
Medium
Significant
PC-02
The clinical pilot rolls directly into live use, so there is no safety net; pilot issues hit real users and the partner relationship.
Continuity
Medium
Process
PC-03
System knowledge and documentation are thin and concentrated in the previous team.
Continuity
Medium
Moderate
TH-04
Custom patches applied to third-party components without documentation; must not be removed without understanding them.
Technical health
Low
Quick
SE-06
Verbose error output could reveal internal detail; minor hardening.
Security
Low
Quick
OC-01 · OwnershipCritical
Error monitoring account owned by the previous team; the company cannot control or guarantee deletion of user error data.
Effort · Quick
OC-02 · OwnershipCritical
No repeatable build or release pipeline; app store publishing depends on the previous team and unconfirmed signing certificates.
Effort · Significant
SE-01 · SecurityCritical
Admin tool has endpoints reachable with no login; anyone who can reach the server can create an admin, read private messages, or trigger jobs.
Effort · Moderate
SE-02 · SecurityCritical
Hardcoded secrets in source and version history, including a signing secret with a weak fallback; must be treated as compromised.
Effort · Moderate
RG-01 · RegulatoryCritical
Special-category health data processed without the required groundwork: no DPIA, no documented lawful basis, no data processing agreement.
Effort · Significant
RG-02 · RegulatoryCritical
Evidence of a historical exposure of private files, including user messages, in a publicly reachable location; possible reportable breach.
Effort · Legal review
OC-03 · OwnershipHigh
Cloud account access and third-party service ownership not fully inventoried; several service keys of unknown ownership, some hardcoded.
Effort · Moderate
OC-04 · OwnershipHigh
Domain, DNS and app store account ownership not demonstrated during the audit; needs verifying before launch.
Effort · Quick
SE-03 · SecurityHigh
Personal data, including user names and message content, written to application logs that are not access-controlled by default.
Effort · Moderate
SE-04 · SecurityHigh
Large number of known dependency vulnerabilities (92 total, 38 critical), concentrated in the server-side admin tool.
Effort · Significant
TH-01 · Technical healthHigh
Backend uses 40-plus small serverless functions as the primary app API; the wrong tool for the job, causing delays and fragility that worsen with scale.
Effort · Structural
RG-03 · RegulatoryHigh
No data retention policy and no incident response procedure to meet the 72-hour breach notification duty.
Effort · Moderate
PC-01 · ContinuityHigh
No confirmed, tested backup or disaster recovery for the database or media storage.
Effort · Moderate
OC-05 · OwnershipMedium
No documented offboarding of the previous team; access was not revoked or rotated after handover.
Effort · Quick
SE-05 · SecurityMedium
No cross-origin policy on the admin API.
Effort · Quick
TH-02 · Technical healthMedium
Every screen change makes repeated status and permission calls, amplifying the backend delay problem.
Effort · Moderate
TH-03 · Technical healthMedium
No separation between development and production; changes are effectively tested in production.
Effort · Significant
PC-02 · ContinuityMedium
The clinical pilot rolls directly into live use, so there is no safety net; pilot issues hit real users and the partner relationship.
Effort · Process
PC-03 · ContinuityMedium
System knowledge and documentation are thin and concentrated in the previous team.
Effort · Moderate
TH-04 · Technical healthLow
Custom patches applied to third-party components without documentation; must not be removed without understanding them.
Effort · Quick
SE-06 · SecurityLow
Verbose error output could reveal internal detail; minor hardening.
Effort · Quick
03 · Control and ownership

Do you actually control your own product.

This is where the most serious findings sit, and it is the part a code review never reaches. A product can be well written and still not be yours to run. If the people who built it walked away, could you keep it running and ship a fix. Can you prove, to an investor or a partner, that you own every part of it.

OC-01 · Error monitoring sits under the previous team's accountCritical
What it isCrash reports and error logs from the app, which include user context, are sent to a monitoring account registered to the previous development team, not to the company.
Why it mattersThe previous team can see this data. The company cannot control it, cannot guarantee it is deleted, and does not own the record. On a product handling health data, that is a data protection problem as well as a control one.
FixStand up a company-owned monitoring account and cut over before any users are on the platform. Quick to do, and it should be done first.
OC-02 · No repeatable way to publish an updateCritical
What it isThere is no build pipeline in the codebase. The evidence suggests the previous team built and published app releases from their own machines, using their own signing certificates, which are not confirmed to be in the company's control.
Why it mattersRight now, the company likely cannot publish an update to either app store on its own. The ability to ship is sitting on someone else's laptop. This is the kind of thing that only surfaces the day you urgently need to push a fix and cannot.
FixEstablish a repeatable, documented build and release pipeline owned by the company. Recover or reissue the signing certificates into company-controlled accounts. A week or two of work that removes the dependency for good.

Ownership and control register

Every part of the product, and who actually controls it today. This table is the heart of the audit. It is what lets you say, plainly and truthfully, that you own your own software, or shows you exactly where you do not yet.

Asset
Controlled by
Status
Note
Source code repositories
Company
Confirmed
Full history present, access verified.
Cloud account (root)
Company
Partial
Root access held, but internal users and third-party access not fully inventoried (OC-03).
Databases
Company
Confirmed
Inside the company's cloud account.
Authentication
Company
Confirmed
In the company's cloud account, well configured.
Media storage
Company
At risk
Held by the company, but historic public-exposure issue (RG-02).
Domain and DNS
Unverified
At risk
Ownership not demonstrated during the audit; verify before launch (OC-04).
Apple App Store account
Unverified
At risk
Access not demonstrated; publishing depends on the previous team (OC-02).
Google Play account
Unverified
At risk
As above.
Code signing certificates
Previous team (likely)
Critical
Not confirmed in company control; no build config in the repo (OC-02).
Build / release pipeline
None
Critical
No repeatable pipeline exists (OC-02).
Error monitoring
Previous team
Critical
User error data flows to an account the company does not control (OC-01).
Push notifications
Company (config)
At risk
Access token hardcoded in code and history; rotate and confirm ownership (SE-02).
Maps / location service
Unknown
At risk
API key hardcoded in the app; ownership and billing unconfirmed (OC-03).
Billing and cloud spend
Company
Partial
Paid by the company, but no cost visibility or alerts in place.
Source code repositoriesConfirmed
Controlled by · Company
Full history present, access verified.
Cloud account (root)Partial
Controlled by · Company
Root access held, but internal users and third-party access not fully inventoried (OC-03).
DatabasesConfirmed
Controlled by · Company
Inside the company's cloud account.
AuthenticationConfirmed
Controlled by · Company
In the company's cloud account, well configured.
Media storageAt risk
Controlled by · Company
Held by the company, but historic public-exposure issue (RG-02).
Domain and DNSAt risk
Controlled by · Unverified
Ownership not demonstrated during the audit; verify before launch (OC-04).
Apple App Store accountAt risk
Controlled by · Unverified
Access not demonstrated; publishing depends on the previous team (OC-02).
Google Play accountAt risk
Controlled by · Unverified
As above.
Code signing certificatesCritical
Controlled by · Previous team (likely)
Not confirmed in company control; no build config in the repo (OC-02).
Build / release pipelineCritical
Controlled by · None
No repeatable pipeline exists (OC-02).
Error monitoringCritical
Controlled by · Previous team
User error data flows to an account the company does not control (OC-01).
Push notificationsAt risk
Controlled by · Company (config)
Access token hardcoded in code and history; rotate and confirm ownership (SE-02).
Maps / location serviceAt risk
Controlled by · Unknown
API key hardcoded in the app; ownership and billing unconfirmed (OC-03).
Billing and cloud spendPartial
Controlled by · Company
Paid by the company, but no cost visibility or alerts in place.

Read this as a checklist to close. Every row marked at risk or critical is an owed action, and most are quick once someone is chasing them.

Release and control map

How a change reaches real users today, and where the gaps are.

01 / CodeA change is committed to the repository. This part is fine.
02 / BackendBackend functions deploy automatically on commit. This works, but each function's access permissions are configured by hand afterwards, which is slow and easy to get wrong.
03 / AppApp releases are built and signed manually, off the codebase, on the previous team's setup. This is the broken step. No repeatable pipeline, and no company-owned path to the stores.
04 / ApproveThere is no staging environment and no review gate. A change is effectively tested in production, and no one has to sign off before it is live.
05 / Roll backThere is no defined way to undo a bad release. If something breaks in production, recovery is manual and unplanned.
04 · Security

Security and data handling.

The serious findings are concentrated in the internal admin tool and in how secrets and personal data are handled. The admin tool matters most, because it reaches the most sensitive data with the least protection.

SE-01 · The admin tool is open to anyone who can reach itCritical
What it isThe internal admin tool has endpoints that require no login. Anyone who can reach the server can create a new admin account, read the private messages and health data of users, or trigger background jobs, without authenticating.
Why it mattersThis tool has direct access to the most sensitive data on the platform, the private conversations and health information of real people. It cannot go live in this state.
FixPut authentication and proper access control in front of every admin endpoint, and take the tool off the public internet until it is done. A few days of focused work.
SE-02 · Secrets are hardcoded and in the version historyCritical
What it isAccess tokens and a signing secret are written directly into the source code and are in the version history. The signing secret also has a weak fallback value used if the correct one is not set.
Why it mattersVersion history is permanent. Anyone who has ever had a copy of the code has these secrets. They must be treated as already compromised.
FixRotate every affected secret now, move them into managed secret storage, and remove the weak fallback. Do this regardless of any other decision.

The remaining security findings are in the register. In short: personal data is written to logs that are not protected by default (SE-03), there is a large backlog of known vulnerabilities concentrated in the admin tool (SE-04), and two smaller hardening items remain (SE-05, SE-06). None is as urgent as the two above, but the vulnerability backlog is real work and should be scheduled.

05 · Technical health

Architecture, code and the stack.

The code itself is not the problem. The front end is cleanly built and the data model is sound. The one significant technical finding is an architectural choice in the backend.

TH-01 · The backend uses the wrong tool as its main engineHigh
What it isThe backend is built from more than forty small serverless functions acting as the primary API for the app. Serverless functions are designed for occasional, isolated tasks. They are used here as the constant, everyday engine behind every screen.
Why it mattersThis is not about fashion. Idle functions take seconds to wake, so users hit delays and timeouts moving between screens. Each function has its own permissions to manage by hand, which is fragile. There is no shared state, so the system is harder to reason about and change safely.
The honest readNot urgent the way the security and ownership findings are. It is not on fire. But it is the piece that will not scale, and it is best addressed before the platform grows, not after. A planned piece of work, not an emergency, keeping the parts that work, the database, the front end, the chat, untouched.

What is solid, and should be kept

  • The database. Well designed, documented, and sensible. It can be kept as-is under any future architecture.
  • The app front end. Cleanly structured, with a single tidy path to the backend. The app itself is not the problem.
  • The real-time chat. The right tool for the job, and it works independently of the backend issues above.
  • Authentication. Solid, and enforced in the right place.
06 · Process and continuity

Can it keep running.

No tested backup or recovery (PC-01, High). Automated database backups may be switched on, but no one has confirmed it or tested a restore. The media storage has no recovery procedure at all. Before any users, backups must be confirmed on and a restore tested at least once.
The pilot is the launch (PC-02, Medium). The planned clinical pilot is not a closed test that gets wiped. Its users stay on the platform and it rolls straight into live use. Any reliability problem during the pilot hits real users and the healthcare partner relationship directly.
Thin documentation and key-person risk (PC-03, Medium). System knowledge sits largely with the previous team, and documentation is limited. This needs to be written down as part of taking full ownership.
07 · Regulated appendix · data protection

Handling health data lawfully.

This platform processes special-category health data, which carries specific legal duties beyond ordinary data protection. This section flags where the software and its evidence fall short. It is not legal advice, and the historical exposure below in particular needs a solicitor. We build software to the standard that applies and work under your quality system. We are not a certification body, a notified body, or a legal or regulatory adviser, and we say where that line is.

RG-01 · The groundwork for handling health data is missingCritical
What it isProcessing special-category health data requires certain things to be in place. A data protection impact assessment. A documented lawful basis for processing. A data processing agreement with anyone processing the data on the company's behalf. None of these is currently in place.
Why it mattersThese are legal requirements, not good-practice extras, and a healthcare partner will ask for evidence of them as a condition of a pilot. A data protection impact assessment in particular has to be done before the processing starts. It cannot be produced after the fact.
FixPut the assessment, the lawful basis and the agreements in place before the pilot. A mix of documentation and a small amount of engineering, best done with proper legal input.
RG-02 · Evidence of a historical exposure of private filesCritical
What it isThe project records suggest that private files, including messages between users, were at one point stored in a location reachable by anyone. If that happened while real users were on the platform, it may amount to a personal data breach.
Why it mattersA confirmed breach of this kind can carry a legal duty to report it to the data protection authority, and there are time limits on that. This is a legal question, not a technical one.
What to doTake this to a solicitor with the specifics, and establish whether it occurred with live user data and whether a notification is owed. We can provide the technical detail they need. We are flagging it plainly rather than deciding it.

Beyond these, there is no data retention policy and no incident response procedure to meet the 72-hour notification duty (RG-03). Both should be put in place before launch.

08 · Evidence map

What we reviewed, and what we could not.

An honest audit is clear about the edges of what it saw. This is what the findings are based on, and where we had to note a limit or make an assumption. Where something could not be verified, it is flagged, not glossed over.

Area
Status
Detail
Application source code
Reviewed
Full mobile and backend codebases, with history.
Cloud configuration
Reviewed
Read access to the cloud console; account structure, databases, storage, functions.
Dependency and vulnerability scan
Reviewed
Automated scan across mobile and backend dependencies.
Founder and team interviews
Reviewed
Sessions with the founder to establish history and intent.
Previous team's build environment
Unavailable
Could not be inspected. Build and signing conclusions are drawn from the absence of any build config in the code, and are flagged as such.
Some third-party account admin
Unavailable
Ownership of domain, app store and one service account could not be demonstrated during the audit; listed as at risk to verify.
Production versus repository match
Assumed
Assumed the deployed system matches the code reviewed. Spot-checked, not exhaustively verified.
Undocumented services
Assumed
Assumed the services found are the full set. Given the state of documentation, others may exist. Flagged as a residual risk.
Application source codeReviewed
Full mobile and backend codebases, with history.
Cloud configurationReviewed
Read access to the cloud console; account structure, databases, storage, functions.
Dependency and vulnerability scanReviewed
Automated scan across mobile and backend dependencies.
Founder and team interviewsReviewed
Sessions with the founder to establish history and intent.
Previous team's build environmentUnavailable
Could not be inspected. Build and signing conclusions are drawn from the absence of any build config in the code, and are flagged as such.
Some third-party account adminUnavailable
Ownership of domain, app store and one service account could not be demonstrated during the audit; listed as at risk to verify.
Production versus repository matchAssumed
Assumed the deployed system matches the code reviewed. Spot-checked, not exhaustively verified.
Undocumented servicesAssumed
Assumed the services found are the full set. Given the state of documentation, others may exist. Flagged as a residual risk.
09 · Remediation plan

What to fix, and in what order.

A prioritised plan. The order is driven by risk, not effort. The first block is what must be true before any users or any pilot. It is deliberately short, because a small number of things carry most of the risk.

Before scrutiny · 0–30 days

Must be done before a raise, a pilot, or real users.

  • Rotate every hardcoded secret and remove the weak fallback (SE-02).
  • Put authentication in front of the admin tool and take it off the public internet (SE-01).
  • Move error monitoring to a company-owned account (OC-01).
  • Confirm and secure ownership of the cloud account, domain, app store accounts and signing certificates (OC-02–04).
  • Stand up a repeatable, company-owned build and release pipeline (OC-02).
  • Take the historical exposure to a solicitor (RG-02).
  • Put a DPIA and a documented lawful basis in place (RG-01).
  • Stop writing personal data to unprotected logs (SE-03).
Before scale · 30–60 days
  • Work through the critical dependency vulnerabilities, admin tool first (SE-04).
  • Confirm database backups are on and test a restore; document media recovery (PC-01).
  • Put a data retention policy and incident response procedure in place (RG-03).
  • Add a proper development environment so changes are not tested in production (TH-03).
  • Close the smaller security items (SE-05, SE-06) and revoke old team access (OC-05).
Structural, and monitor · 60–90+ days
  • Plan and begin moving the backend off the serverless-as-primary-engine pattern, keeping the sound parts intact (TH-01, TH-02).
  • Write down system documentation and reduce key-person risk (PC-03).
  • Put monitoring, alerting and cost visibility in place.
  • Set up ongoing dependency management so the backlog does not rebuild.
10 · Investor and customer answer pack

The honest answers, ready to give.

The point of this audit is not the report. It is that you can walk into the raise or the partner conversation and answer straight. Here are the questions you will be asked, and the honest answers you can give once the plan is underway. Straight answers, backed by a plan, beat a polished pitch that falls apart under a follow-up.

Do you own and control your own product?

Mostly, and we know exactly where we do not yet. Three specific gaps are being closed now: error monitoring is moving to our own account, we are building our own release pipeline, and we are securing the app store signing certificates. Here is the register and the timeline.

Is user health data handled lawfully?

We are putting the required groundwork in place ahead of the pilot: the impact assessment, the lawful basis, and the agreements. We have also flagged one historical issue to our solicitor and are acting on their advice. We can show you the status of each.

Can you ship updates and keep the service running?

We are establishing a repeatable build pipeline and confirming tested backups. Until those are done, we have named the dependency honestly rather than hidden it, and it is near the top of the plan.

Will it hold up for the pilot and beyond?

The foundations, the database, the app and the chat, are sound. The backend design needs work to scale, which is planned and not urgent. Here is what is ready now and what is being addressed.

Are there security issues we should know about?

Yes, we found some, and we are fixing them, worst first. The two critical ones, the admin tool and the hardcoded secrets, are being closed immediately. Here is the remediation status.

11 · What happens next

Your options from here.

Take it to your own team.

The plan is written to be actioned by any competent engineering team. If you have people, they can run it.

Take it to another firm.

The findings and the effort estimates are yours. You are free to get the work done by anyone.

Have us do the remediation.

If you would like Purpledecks to carry out the fixes, we can. We would scope and price it separately, and tell you plainly if any part is better done by a specialist, a solicitor for the data protection question, for instance.

We priced and delivered this audit as a fixed engagement. Whether we do the fix work is a separate decision, and nothing in these findings depends on it. The severity of a finding is not affected by whether we can be the ones to fix it.

This is a sample. Get one for your product.

A Readiness Audit is a fixed engagement, from $15,000 or €13,000 in Ireland and the UK. It starts with a short scoping call.

Book a Readiness Audit What the audit covers →