Skip to content
AskFlorence
Main Navigation ArchitectureFlorence AIAgentsMembersAgent PlatformValidationInfrastructure

Appearance

Sidebar Navigation

Overview

Home

Glossary

System Architecture

Consumer & Agent Flow

Florence AI

Overview

Principles

Runtime

Tool surface

Adding a tool

Tool registry

Knowledge: SBC scenarios & CSR

Voice

Evals & observability

Provider risk & portability

Outage playbook

Roadmap

Build plan

Agents

Overview

Workflows & pain points

Members

Overview

Medicaid coverage gap

Carriers

Overview

Marketplaces

Overview

Agency

Overview

Regulations

Overview

Agent Platform

Overview

Auth Architecture

MongoDB Permissioning

Compliance Model

Data Models

Data Sources

Overview

CMS Marketplace API

CMS dependency map

PUF Data

State Subsidies

SBE Ingestion Playbook

SBE State Watchouts + Decisions

CA Phase C/D Playbook

NY Phase C/D Playbook

Validation

Overview

Methodology

APTC Formula

California 2026

New York 2026

CAPS Formula

Scenario Results

Infrastructure

Account Inventory

AWS Setup Runbook

AWS Organizations

CloudTrail

GuardDuty

Security Hub

Config

CloudFront + WAFv2

Data sources & ingest

Phase 4 DNS

Change Log

Vulnerability Management

MongoDB Setup

Access Control

Data Classification

Documentation Hosting

Post-deploy Smoke

Development

Preflight (local CI mirror)

Testing strategy

Compliance

Overview (auditor entry point)

SOC 2 Control Mapping

HIPAA Control Mapping

CMS EDE Appendix A Mapping

Risk Assessment

Encryption Policy

Data Retention Policy

Privacy Impact Assessment

Consent Capture & Versioning

Incident Response Plan

Access Control Policy

Marketing vs. Portal Analytics

Vendor / Subprocessor Register

Dependency Vulnerability Policy

BAA / Compliance Evidence

Compliance-Automation Integration

Compliance-Automation Vendor Evaluation

Penetration Test Reports

Architecture

Portal entry handoff

Mobile app strategy

Deferred architecture decisions

Session cookie architecture

Share flows

Decisions (ADRs)

Index

0001 — Atlas project isolation

0002 — Append-only audit log

0003 — Narrow-scoped Mongo users

0004 — Cross-cluster Atlas PrivateLink

0005 — Delayed-job architecture

0006 — Mongo user simplification

0007 — Terraform owns ECS task def

0008 — E2E testing strategy

0009 — Self-hosted analytics + observability (superseded)

0010 — PostHog HIPAA Cloud (supersedes 0009)

Runbooks

Security Incident Response

Break-Glass Root Login

Onboard Team Member

Offboard Team Member

Atlas user provisioning

Deploy via Terraform (ENG-277)

Rollback via Terraform (ENG-277)

S3 data bucket migration (planned Phase 11)

Access Reviews

2026-Q2 Review

Session log

Index

2026-04-23 — Phase 10 DNS cutover

2026-04-22 — Phase 8 prod AWS mirror

2026-04-22 — Phase 7 Atlas VPC peering

2026-04-22 — Phase 6 CloudFront + WAF

2026-04-21 — Phase 5 staging go-live

2026-04-17 — Atlas staging

Briefs

Index

Member portal plan (ENG-187)

2026-04-16/17 handoff

2026-04-17 Atlas handoff

System briefing (2026-04-17)

Creative AdBundance proposal brief

Creative AdBundance analytics brief

ElevenLabs RN integration research

Policies

Overview

On this page

Access Review — 2026 Q2 (May–July) ​

Status: First quarterly access review. Initiated 2026-05-11; target close-out by 2026-07-31. Cadence: quarterly per Access Control Policy. Reviewer: Taha Abbasi (Atlas + AWS + GitHub + dev infra), Asad Khalid (HubSpot + vendor BAA status + Google Workspace), Ian Friend (HubSpot + agent comms).

Purpose ​

Establish the operational cadence the Access Control Policy and the SOC 2 evidence window require. This is the first quarterly review; subsequent reviews append rows to the same checklist below (one column per quarter).

Identity-domain assignment review ​

AWS — SSO assignments (per Access Control Policy AWS SSO permission sets) ​

PersonPermission setAccount(s)Last loginVerified in scope this quarter
Taha Abbasiadmin + power_usermgmt + prod + staging + log-archiveActive daily✅ — sole admin; risk R-001 tracked for second-principal provisioning
Asad Khalidbilling_romgmt(TBD — to confirm at review close)(pending verification at close)
Ian Friend(none in AWS today)n/an/an/a

Atlas — Org members (per atlas-access-matrix.md) ​

To verify at close-out:

  • Atlas org askflorence members: confirm only Taha + any active service principals (Atlas API keys for CI)
  • Custom roles unchanged from ADR 0003 baseline (role_writer_survey, role_writer_plans, role_writer_agents, role_admin_agents, role_audit_reader, role_reader_reference)
  • app_read_staging user on staging project: verify exactly one role (role_reader_reference@admin); verify nightly drift check (scripts/audit/staging-cluster-drift.ts) has been passing every day this quarter
  • Prod project legacy app-write user: confirm still-present (production exit criterion of ADR 0003); confirm tracked as risk R-006 for removal

GitHub — Org membership ​

  • askflorencehealth org members: confirm only founders + any active contractors
  • Branch protection on main active
  • Secret scanning + push protection active
  • Dependabot alerts triaged

Google Workspace ​

  • Active users: founders + Asad
  • MFA enrolled on every user
  • No external sharing exceptions outstanding on team Drive folders containing sensitive content

HubSpot ​

  • Users: Taha + Asad + Ian + agent-relations role
  • MFA enrolled on every user
  • API access keys (for /api/waitlist agent mirror sync): confirm rotation cadence per Access Control Policy credential rotation

Vendor BAA + DPA status (per vendor register) ​

To verify at close-out:

  • [ ] AWS Organizations BAA (signed 2026-04-18) — still active, no amendments needed
  • [ ] Google Workspace HIPAA BAA (accepted 2026-05-01) — admin console still showing acceptance
  • [ ] MongoDB Atlas BAA — signed PDF collected per #57 (in flight; expected close-out of Asad workstream)
  • [x] PostHog — removed (#75 sub-A shipped 2026-05-12); vendor-register row marked removed. Replacement OpenPanel + GlitchTip self-hosted (ADR 0009 / ENG-347, build at #342)
  • [ ] Resend — already retired; confirm BAA evidence retained in docs/infrastructure/evidence/ for 6-year retention window
  • [ ] Vercel — already retired; same as Resend

CI drift-detection signals review ​

To verify at close-out:

  • [ ] staging-cluster-drift workflow has run nightly without P1-issue trigger (08:00 UTC daily)
  • [ ] staging-collections-guard workflow caught any PRs that attempted out-of-allow-list cross-cluster reads (expected: zero)
  • [ ] validate-secrets workflow caught any secrets with format issues (expected: zero post-Phase-11)

Joiners this quarter ​

PersonRoleJoined dateIdentity domains provisionedOnboarding-issue link
(none expected this quarter)

Movers this quarter ​

PersonRole changeEffective dateAccess changesIssue link
(none expected)

Leavers this quarter ​

PersonLast dayIdentity domains revokedCredentials rotatedIssue link
(none expected)

Allow-list + retention verification ​

To verify at close-out:

  • [ ] STAGING_ALLOWED_COLLECTIONS in src/lib/db.ts matches actual usage (no PRs this quarter to widen)
  • [ ] STAGING_REFERENCE_READ_COLLECTIONS in src/lib/db.ts matches actual usage
  • [ ] Atlas Mongo TTL indexes verified for agent_audit_log (when collection created in Phase 5)
  • [ ] S3 lifecycle rules verified on stateful buckets (askflorence-tfstate-*, org_cloudtrail_logs, org_config, askflorence-data)
  • [ ] CloudWatch Log Group retention configured per log group

Cost-alarm verification ​

To verify at close-out:

  • [ ] AWS Budgets alarms active for mgmt + prod + staging + log-archive accounts + org-total
  • [ ] Atlas billing alarm active for both projects
  • [ ] No unexplained cost-spike incidents this quarter (post the 2026-05-06 ingest-cost incident captured in docs/decisions/2026-05-09-refresh-cadence.md)

Open follow-ups carried into next quarter ​

(Initialize this list at close-out with anything not closed by review end.)

  • [ ] Mongo Atlas BAA signed PDF collection (#57)
  • [ ] Hardware MFA enrollment for Taha + Asad (#67)
  • [x] PostHog removal (#75 sub-A, 2026-05-12) + OpenPanel + GlitchTip self-hosted replacement (ADR 0009 / ENG-347, build at #342)
  • [ ] Second-principal AWS admin provisioning for Asad (post hardware MFA)
  • [ ] Pen test vendor RFQ (July 2026 target)
  • [ ] Compliance automation vendor sign (Drata vs Vanta; July 2026 target post-funding)
  • [ ] Privacy policy + ToS publish (#55)
  • [ ] Consent versioning (#58)
  • [ ] Unsubscribe flow (#59)

Tabletop exercise ​

Planned for this review per Incident Response Plan tabletop section:

Scenario: SEV-1 — a suspected PHI exposure via an Atlas-side accidental open-allowlist change at 14:00 UTC on a weekday. The drift-check is 18 hours away from firing. A founder notices unexpected Atlas-side read traffic in a customer-facing pricing query.

Walk through:

  1. Who pages whom? (IC = Taha)
  2. First containment action? (Atlas allowlist revert via Atlas UI; rotate app_read_staging password)
  3. Assessment scope — what data could have been read by an unauthorized party? Was any PHI in scope? (Note: today's prod data is non-PHI; assess what would be the case after Phase 5)
  4. Notification clock — when does the HIPAA Breach Notification Rule 60-day clock start? (At discovery, not at assessment-complete.)
  5. Remediation + post-mortem ownership.

Document outcomes + lessons learned here at review close-out.

Review close-out ​

Initiated: 2026-05-11 — Taha Target close-out: 2026-07-31

Sign-off at close-out:

  • [ ] Taha Abbasi (technical reviewer)
  • [ ] Asad Khalid (org / vendor reviewer)
  • [ ] Ian Friend (HubSpot / agent comms reviewer)

The next review (2026-Q3-review.md) opens at end of close-out.

Pager
Previous pageS3 data bucket migration (planned Phase 11)
Next pageIndex

AskFlorence Internal Documentation. Not for public distribution.

AskFlorence

Internal Documentation

Access restricted. Not for public distribution.