ZenoXCare — marketing

External CPA firm (engagement TBD)

SOC 2 Type II

In progress

External CPA firm (engagement TBD)

Evidence Collection75%

ISO/IEC 27001:2022 (ISMS)

Accredited certification body (e.g., BSI, DNV, TÜV)

ISO/IEC 27701:2019 (PIMS)

Accredited certification body (joint scope with 27001)

Ghana Data Protection Commission registration (Act 843)

Data Protection Commission, Ghana

Vulnerability Assessment & Penetration Test (baseline)

External CREST/OSCP-credentialed pentest firm (engagement TBD)

PCI DSS v4.0 Self-Assessment (SAQ A-EP)

Self-assessed; QSA validation when card data scope expands

HITRUST CSF e1 Assessment

Not pursued

HITRUST-authorised external assessor

→

View All 8

Certifications & Audits

Standards by Category

Every standard below links to its publisher's authoritative source. Our alignment status is reviewed quarterly and verified independently by the auditors who issue our certifications.

Information Security

Foundational ISMS controls and third-party attestations governing how ZenoXCare protects systems, data, and customer trust.

ISO/IEC 27001:2022

ISO/IEC

International standard for an Information Security Management System (ISMS) — risk-based controls covering organisation, people, processes, and technology.

SOC 2 (Trust Services Criteria)

In progress

AICPA

Reporting framework on controls relevant to Security, Availability, Confidentiality, Processing Integrity, and Privacy of a service organisation.

SOC 1 (ICFR)

AICPA

Reporting framework on controls relevant to user entities' Internal Control over Financial Reporting (ICFR).

Privacy

Privacy-by-design controls extending the ISMS to personal data lifecycle management.

ISO/IEC 27701:2019

ISO/IEC

Privacy Information Management System (PIMS) extension to ISO/IEC 27001, providing requirements for processing personally identifiable information.

Application Security

Verification standards for secure software development and runtime defence.

OWASP ASVS v4

OWASP Foundation

Application Security Verification Standard — a basis for testing web application technical security controls and providing a list of requirements for secure development.

Resilience & Business Continuity

Operational continuity, disaster recovery, and incident-response disciplines.

ISO 22301:2019

ISO

Business Continuity Management System (BCMS) — requirements to plan, establish, implement, operate, monitor, review, maintain, and continually improve business continuity.

Payments

Card and mobile-money compliance, settlement integrity, and payout safeguards.

PCI DSS v4.0

PCI Security Standards Council

Payment Card Industry Data Security Standard — protects card-data environments through technical and operational requirements.

Clinical Interoperability

Open standards for safely exchanging clinical information between systems.

HL7 FHIR R5

HL7 International

Fast Healthcare Interoperability Resources — modern web standard for exchanging healthcare information electronically.

Clinical Terminology

Globally-recognised vocabularies for unambiguous clinical meaning.

SNOMED CT

SNOMED International

Comprehensive, multilingual clinical healthcare terminology used for clinical documentation and reporting.

ICD-11

World Health Organization

WHO International Classification of Diseases, 11th revision — global standard for diagnostic health information.

Health-System Governance

Sector-specific operating standards for digital health systems and clinical workflows.

ISO 27799:2016

ISO

Health-sector application of ISO/IEC 27002 — security management in health using ISO/IEC 27002 controls.

WHO SMART Guidelines

World Health Organization

Standards-based, Machine-readable, Adaptive, Requirements-based, Testable — WHO's framework for digital adaptation kits in health systems.

AI Governance

Lifecycle controls for trustworthy, ethical, and human-supervised AI in healthcare.

ISO/IEC 42001:2023

ISO/IEC

AI Management System — requirements for establishing, implementing, maintaining and continually improving an AI management system within an organisation.

NIST AI RMF 1.0

NIST (USA)

AI Risk Management Framework — voluntary guidance to incorporate trustworthiness considerations into the design, development, use, and evaluation of AI products, services, and systems.

WHO AI Ethics in Health

World Health Organization

Ethics and governance of artificial intelligence for health — six principles ensuring AI works to the public benefit of all countries.

Medical Device (Reserved)

Standards held in reserve until any feature is classified as Software as a Medical Device.

ISO 13485:2016

Monitoring

ISO

Quality management systems for medical devices — requirements for regulatory purposes.

IMDRF SaMD Framework

Monitoring

International Medical Device Regulators Forum

Regulatory framework for Software as a Medical Device — risk categorisation and clinical evaluation guidance.

Africa — Regional Instruments

Continental and regional instruments framing pan-African data, privacy, and digital-trade obligations.

AU Malabo Convention

African Union

African Union Convention on Cyber Security and Personal Data Protection — continental instrument harmonising data protection and cybersecurity.

AU Data Policy Framework

African Union

Continental policy framework governing data, cross-border flows, and digital trade across African Union member states.

ECOWAS Data Protection Act

ECOWAS

ECOWAS Supplementary Act on Personal Data Protection — regional instrument governing data processing across West African member states.

Africa — Country Data Protection Laws

National statutes that overlay the pan-African baseline as ZenoXCare enters each market.

Ghana — Data Protection Act 2012 (Act 843)

Data Protection Commission, Ghana

Statutory data protection law in Ghana; controllers and processors must register with the Data Protection Commission.

South Africa — POPIA

Information Regulator, South Africa

Protection of Personal Information Act — South Africa's primary data protection statute; requires Information Officer registration.

Nigeria — NDPA 2023