Use this page to run a dated access review and maintain a supplier register. These two artifacts create evidence for ISO/IEC 27001 readiness, GDPR integrity/confidentiality, and NIS2 supply-chain/access-control measures.
GDPR-5-6, ISO27001-3, ISO27001-5, NIS2-21-4, NIS2-21-9, NIS2-21-10
Unknown MFA, DPA, region, or business-need status remains visible as a gap until reviewed and dated.
private/technology&Architecture/compliance/20260706_quick_win_compliance_closure_plan.md
| Field | What To Capture | Evidence Expectation | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| System/surface | Clerk, Vercel, Cloudflare, R2/KV, model-provider consoles, GitHub, Stripe, backoffice, or admin APIs. | Every critical system appears at least once. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Access Inventory — 13 Systems
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Access role | Owner, admin, developer, read-only, service account, or unknown. | Role matches provider console or internal policy note. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Current Access Roles All systems accessed by Nicolas as owner/admin. No additional human users. Service accounts: Google Cloud Run service account, per-HEA OAuth connections (Gmail, Microsoft, Shopify). API keys: OpenAI, Gemini, Brave, Perplexity, Mistral, Explorium, SerpAPI. 13 API key holders need rotation review. |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Account | Human or service account identifier. | No secrets or raw credentials in this table. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Account Summary Single human operator: Nicolas Payen. No shared admin passwords. OAuth tokens are per-HEA scoped and encrypted (AES-256-GCM). Service keys use HMAC or provider-managed rotation. |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Business reason | Why the access exists. | Missing reason should trigger reduce/remove/investigate. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Business Justification All systems have documented purpose (hosting, auth, billing, AI inference, CRM sync, etc.). No orphaned access found in initial audit. Recommended: quarterly review cadence. |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| MFA status | Confirmed, unavailable, unknown, or not applicable. | Unknown stays a gap until verified. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
MFA Coverage Summary
✅ Confirmed: 3 / 13 Vercel, GitHub, Stripe |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Decision | Keep, reduce, remove, or investigate. | Decision date and reviewer are required for evidence. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Access Decisions — 2026-07-06 All access: Keep. No access removal recommended at this time.
Required follow-up: |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Field | What To Capture | Evidence Expectation | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Supplier | Vercel, Cloudflare, Clerk, model providers, Stripe, email provider, analytics provider, or support/contact tooling. | Every critical runtime provider has a row. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Supplier Inventory — Top 10 High-Criticality
31 suppliers total. 10 high-criticality, 11 medium, 10 low. See full register in source artifact. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Service purpose | Hosting, storage, authentication, model inference, billing, email, analytics, or security tooling. | Purpose should align with GDPR accountability table. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Purpose Mapping by Category
Hosting: Vercel, Cloudflare |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Data involved | Customer content, personal data, billing data, logs, metadata, or no customer data. | Map to data categories rather than dumping raw fields. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Data Category Mapping
Customer content: Cloudflare R2, OpenAI (chat prompts), Google Cloud |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Criticality | High, medium, or low. | High-criticality suppliers need owner and next review date. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Criticality Breakdown
10 HIGH All runtime dependencies that handle customer data or auth. Outage = immediate product impact. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Region/transfer note | EU, US, global, provider-specific, or unknown. | Unknown stays visible for follow-up. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Geographic Distribution
Provider HQ predominantly US-based: 20+ suppliers. ⚠️ Reduced risk Core PII stores (R2, KV, Cloud Run) are EU-hosted. US transfers are transient (inference, deployment) or low-PII (source code). Per-supplier SCC confirmation still needed. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| DPA/security status | Signed, available, pending, unknown, or not needed. | Link provider trust/DPA/security source when possible. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
DPA Coverage — High-Criticality Suppliers
⚠️ Pending review DPA links identified for all 10 high-criticality suppliers. Owner review needed — click each link, confirm DPA applies to your account, update status to ✅. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||