Skip to content
AskFlorence
Main Navigation ArchitectureFlorence AIAgentsMembersAgent PlatformValidationInfrastructure

Appearance

Sidebar Navigation

Overview

Home

Glossary

System Architecture

Consumer & Agent Flow

Florence AI

Overview

Principles

Runtime

Tool surface

Adding a tool

Tool registry

Knowledge: SBC scenarios & CSR

Voice

Evals & observability

Provider risk & portability

Outage playbook

Roadmap

Build plan

Agents

Overview

Workflows & pain points

Members

Overview

Medicaid coverage gap

Carriers

Overview

Marketplaces

Overview

Agency

Overview

Regulations

Overview

Agent Platform

Overview

Auth Architecture

MongoDB Permissioning

Compliance Model

Data Models

Data Sources

Overview

CMS Marketplace API

CMS dependency map

PUF Data

State Subsidies

SBE Ingestion Playbook

SBE State Watchouts + Decisions

CA Phase C/D Playbook

NY Phase C/D Playbook

Validation

Overview

Methodology

APTC Formula

California 2026

New York 2026

CAPS Formula

Scenario Results

Infrastructure

Account Inventory

AWS Setup Runbook

AWS Organizations

CloudTrail

GuardDuty

Security Hub

Config

CloudFront + WAFv2

Data sources & ingest

Phase 4 DNS

Change Log

Vulnerability Management

MongoDB Setup

Access Control

Data Classification

Documentation Hosting

Post-deploy Smoke

Development

Preflight (local CI mirror)

Testing strategy

Compliance

Overview (auditor entry point)

SOC 2 Control Mapping

HIPAA Control Mapping

CMS EDE Appendix A Mapping

Risk Assessment

Encryption Policy

Data Retention Policy

Privacy Impact Assessment

Consent Capture & Versioning

Incident Response Plan

Access Control Policy

Marketing vs. Portal Analytics

Vendor / Subprocessor Register

Dependency Vulnerability Policy

BAA / Compliance Evidence

Compliance-Automation Integration

Compliance-Automation Vendor Evaluation

Penetration Test Reports

Architecture

Portal entry handoff

Mobile app strategy

Deferred architecture decisions

Session cookie architecture

Share flows

Decisions (ADRs)

Index

0001 — Atlas project isolation

0002 — Append-only audit log

0003 — Narrow-scoped Mongo users

0004 — Cross-cluster Atlas PrivateLink

0005 — Delayed-job architecture

0006 — Mongo user simplification

0007 — Terraform owns ECS task def

0008 — E2E testing strategy

0009 — Self-hosted analytics + observability (superseded)

0010 — PostHog HIPAA Cloud (supersedes 0009)

Runbooks

Security Incident Response

Break-Glass Root Login

Onboard Team Member

Offboard Team Member

Atlas user provisioning

Deploy via Terraform (ENG-277)

Rollback via Terraform (ENG-277)

S3 data bucket migration (planned Phase 11)

Access Reviews

2026-Q2 Review

Session log

Index

2026-04-23 — Phase 10 DNS cutover

2026-04-22 — Phase 8 prod AWS mirror

2026-04-22 — Phase 7 Atlas VPC peering

2026-04-22 — Phase 6 CloudFront + WAF

2026-04-21 — Phase 5 staging go-live

2026-04-17 — Atlas staging

Briefs

Index

Member portal plan (ENG-187)

2026-04-16/17 handoff

2026-04-17 Atlas handoff

System briefing (2026-04-17)

Creative AdBundance proposal brief

Creative AdBundance analytics brief

ElevenLabs RN integration research

Policies

Overview

On this page

Account & Service Inventory ​

Status: Living document. Last updated April 11, 2026. Purpose: SOC 2 evidence for CC6.1 (Logical Access), CC6.6 (System Boundaries), CC7.1 (Infrastructure Management)

Principle: Account Isolation ​

All AskFlorence services run under dedicated, company-owned accounts — not personal accounts. This ensures:

  • Auditability: every account has a clear owner and access log
  • Separation: no co-mingling with personal services
  • Transferability: accounts are company assets, not tied to individuals
  • Compliance: SOC 2 requires clear system boundaries and access controls

Account Inventory ​

Communication & Identity ​

ServiceAccountDomainOwnerMFAStatusNotes
Google WorkspaceAskFlorence G Suiteaskflorence.health (primary)Taha AbbasiPending (waiting for Ian invite acceptance, then enforced)ActiveAlias: askflorence.co

G Suite configuration:

  • Primary domain: askflorence.health
  • Alias domain: askflorence.co
  • MFA enforcement: pending (will be enforced org-wide once Ian accepts invite)
  • Admin console: admin.google.com
  • Purpose: company email, shared drives, calendar, identity provider

DNS & Domains ​

ServiceAccountOwnerMFAStatusNotes
CloudflareAskFlorence dedicatedTaha AbbasiEnforcedActiveDNS management, CDN, DDoS protection
GoDaddyAskFlorence dedicatedTaha AbbasiEnforcedActiveDomain registration

Domains owned:

DomainRegistrarStatusPurpose
askflorence.healthGoDaddy (AskFlorence account)Transferring from personal → dedicatedPrimary domain
askflorence.coGoDaddy (AskFlorence account)Transferring from personal → dedicatedAlias / redirect

Domain transfer status: Both domains are in process of transfer from personal GoDaddy account to the dedicated AskFlorence GoDaddy account. Transfer initiated April 11, 2026.

Hosting & Infrastructure ​

ServiceAccountOwnerMFAStatusNotes
VercelAskFlorenceTaha AbbasiTBDActiveNext.js frontend hosting
MongoDB AtlasAskFlorence / askflorence-prod-01Taha AbbasiYesActiveProduction cluster and app-scoped DB users are now set up
AWS (management)askflorencehealth (778477254880)Taha AbbasiYes (root + SSO)ActiveOrganizations management account. IAM Identity Center, SCPs, consolidated billing, budgets. askflorence-data S3 bucket stays here. No production workloads. See aws-organizations.md.
AWS (prod)askflorence-prod (039624954211)Taha AbbasiSSO onlyActive (created 2026-04-18)Production workloads account. Under Prod OU. Covered by ScpBaseline (region-lock us-east-1, deny root, deny disabling CloudTrail/Config/GuardDuty/SecurityHub). Root email aws+prod@askflorence.health.
AWS (staging)askflorence-staging (549136075525)Taha AbbasiSSO onlyActive (created 2026-04-18)Pre-prod/staging account. Under Non-Prod OU. Same SCP guardrails as prod. Root email aws+staging@askflorence.health.
AWS (log-archive)askflorence-log-archive (754660694122)Taha AbbasiSSO onlyActive (created 2026-04-18)Centralized audit logging account. Under Security OU. Will hold org-wide CloudTrail, Config aggregation, WAF logs, VPC Flow Logs (Phase 2 of AWS migration). Root email aws+log-archive@askflorence.health.
AWS S3askflorencehealth (778477254880)Taha AbbasiYes (root + SSO)Activeaskflorence-data bucket, source file audit trail. Stays in management account.

Code & Development ​

ServiceAccountOwnerMFAStatusNotes
GitHubaskflorencehealth orgTaha AbbasiTBDActiveSource code, issues, CI/CD

Third-Party APIs ​

ServiceAccountOwnerMFAStatusNotes
CMS Marketplace APIAPI key in .env.localTaha AbbasiN/A (API key)ActiveFederal marketplace plan data
ResendAskFlorenceTaha AbbasiTBDActiveTransactional email, waitlist
PostHogAskFlorenceTaha AbbasiTBDActiveProduct analytics

MFA Status Summary ​

AccountMFA StatusMethodDate Enabled
CloudflareEnforcedTBDApril 11, 2026
GoDaddyEnforcedTBDApril 11, 2026
G SuitePending enforcement—Pending Ian invite acceptance
GitHubTBD——
VercelTBD——
MongoDB AtlasTBD (Issue #46)—Not yet created
AWSTBD—Not yet created

Target: MFA enforced on 100% of accounts. No exceptions.

Access Control ​

Current Access ​

PersonRoleAccounts with Access
Taha AbbasiFounder / AdminAll accounts
IanPartnerG Suite (pending invite acceptance)

Access Grant Process ​

  1. New team member requests access via Taha
  2. Account created with minimum necessary permissions
  3. MFA enrolled before access is granted
  4. Access documented in this inventory
  5. Git commit records the change with timestamp

Access Revocation Process ​

  1. Remove from all service accounts immediately
  2. Rotate any shared credentials the person had access to
  3. Update this inventory document
  4. Git commit records the revocation with timestamp

Domain Transfer Log ​

DateActionFromToDomainStatus
April 11, 2026Transfer initiatedGoDaddy (personal)GoDaddy (AskFlorence dedicated)askflorence.healthIn progress
April 11, 2026Transfer initiatedGoDaddy (personal)GoDaddy (AskFlorence dedicated)askflorence.coIn progress

SOC 2 Control Mapping ​

ControlEvidence
CC6.1 (Logical Access)This document — account inventory with owners and MFA status
CC6.2 (Credentials)MFA status table, credential rotation notes
CC6.3 (Access Removal)Revocation process documented above
CC6.6 (System Boundaries)Account isolation principle, dedicated accounts per service
CC7.1 (Infrastructure)Full service inventory with status
CC8.1 (Change Management)Domain transfer log, git history of this document

Action Items ​

  • [ ] Enforce MFA on G Suite once Ian accepts invite
  • [ ] Confirm MFA on GitHub org
  • [ ] Confirm MFA on Vercel
  • [ ] Complete domain transfers (askflorence.health, askflorence.co)
  • [ ] Set up MongoDB Atlas (Issue #46) with MFA
  • [ ] Set up AWS account with MFA + root account lockdown
  • [ ] Fill in MFA method column (authenticator app, hardware key, etc.)
  • [ ] Review and update this document quarterly
Pager
Previous pageScenario Results
Next pageAWS Setup Runbook

AskFlorence Internal Documentation. Not for public distribution.

AskFlorence

Internal Documentation

Access restricted. Not for public distribution.