Appearance
Account & Service Inventory
Status: Living document. Last updated April 11, 2026. Purpose: SOC 2 evidence for CC6.1 (Logical Access), CC6.6 (System Boundaries), CC7.1 (Infrastructure Management)
Principle: Account Isolation
All AskFlorence services run under dedicated, company-owned accounts — not personal accounts. This ensures:
- Auditability: every account has a clear owner and access log
- Separation: no co-mingling with personal services
- Transferability: accounts are company assets, not tied to individuals
- Compliance: SOC 2 requires clear system boundaries and access controls
Account Inventory
Communication & Identity
| Service | Account | Domain | Owner | MFA | Status | Notes |
|---|---|---|---|---|---|---|
| Google Workspace | AskFlorence G Suite | askflorence.health (primary) | Taha Abbasi | Pending (waiting for Ian invite acceptance, then enforced) | Active | Alias: askflorence.co |
G Suite configuration:
- Primary domain: askflorence.health
- Alias domain: askflorence.co
- MFA enforcement: pending (will be enforced org-wide once Ian accepts invite)
- Admin console: admin.google.com
- Purpose: company email, shared drives, calendar, identity provider
DNS & Domains
| Service | Account | Owner | MFA | Status | Notes |
|---|---|---|---|---|---|
| Cloudflare | AskFlorence dedicated | Taha Abbasi | Enforced | Active | DNS management, CDN, DDoS protection |
| GoDaddy | AskFlorence dedicated | Taha Abbasi | Enforced | Active | Domain registration |
Domains owned:
| Domain | Registrar | Status | Purpose |
|---|---|---|---|
| askflorence.health | GoDaddy (AskFlorence account) | Transferring from personal → dedicated | Primary domain |
| askflorence.co | GoDaddy (AskFlorence account) | Transferring from personal → dedicated | Alias / redirect |
Domain transfer status: Both domains are in process of transfer from personal GoDaddy account to the dedicated AskFlorence GoDaddy account. Transfer initiated April 11, 2026.
Hosting & Infrastructure
| Service | Account | Owner | MFA | Status | Notes |
|---|---|---|---|---|---|
| Vercel | AskFlorence | Taha Abbasi | TBD | Active | Next.js frontend hosting |
| MongoDB Atlas | AskFlorence / askflorence-prod-01 | Taha Abbasi | Yes | Active | Production cluster and app-scoped DB users are now set up |
| AWS | askflorencehealth (778477254880) | Taha Abbasi | Yes (root + SSO) | Active | IAM Identity Center, budget guardrail, and core infra account are set up |
| AWS S3 | askflorencehealth (778477254880) | Taha Abbasi | Yes (root + SSO) | Active | askflorence-data bucket, source file audit trail |
Code & Development
| Service | Account | Owner | MFA | Status | Notes |
|---|---|---|---|---|---|
| GitHub | askflorencehealth org | Taha Abbasi | TBD | Active | Source code, issues, CI/CD |
Third-Party APIs
| Service | Account | Owner | MFA | Status | Notes |
|---|---|---|---|---|---|
| CMS Marketplace API | API key in .env.local | Taha Abbasi | N/A (API key) | Active | Federal marketplace plan data |
| Resend | AskFlorence | Taha Abbasi | TBD | Active | Transactional email, waitlist |
| PostHog | AskFlorence | Taha Abbasi | TBD | Active | Product analytics |
MFA Status Summary
| Account | MFA Status | Method | Date Enabled |
|---|---|---|---|
| Cloudflare | Enforced | TBD | April 11, 2026 |
| GoDaddy | Enforced | TBD | April 11, 2026 |
| G Suite | Pending enforcement | — | Pending Ian invite acceptance |
| GitHub | TBD | — | — |
| Vercel | TBD | — | — |
| MongoDB Atlas | TBD (Issue #46) | — | Not yet created |
| AWS | TBD | — | Not yet created |
Target: MFA enforced on 100% of accounts. No exceptions.
Access Control
Current Access
| Person | Role | Accounts with Access |
|---|---|---|
| Taha Abbasi | Founder / Admin | All accounts |
| Ian | Partner | G Suite (pending invite acceptance) |
Access Grant Process
- New team member requests access via Taha
- Account created with minimum necessary permissions
- MFA enrolled before access is granted
- Access documented in this inventory
- Git commit records the change with timestamp
Access Revocation Process
- Remove from all service accounts immediately
- Rotate any shared credentials the person had access to
- Update this inventory document
- Git commit records the revocation with timestamp
Domain Transfer Log
| Date | Action | From | To | Domain | Status |
|---|---|---|---|---|---|
| April 11, 2026 | Transfer initiated | GoDaddy (personal) | GoDaddy (AskFlorence dedicated) | askflorence.health | In progress |
| April 11, 2026 | Transfer initiated | GoDaddy (personal) | GoDaddy (AskFlorence dedicated) | askflorence.co | In progress |
SOC 2 Control Mapping
| Control | Evidence |
|---|---|
| CC6.1 (Logical Access) | This document — account inventory with owners and MFA status |
| CC6.2 (Credentials) | MFA status table, credential rotation notes |
| CC6.3 (Access Removal) | Revocation process documented above |
| CC6.6 (System Boundaries) | Account isolation principle, dedicated accounts per service |
| CC7.1 (Infrastructure) | Full service inventory with status |
| CC8.1 (Change Management) | Domain transfer log, git history of this document |
Action Items
- [ ] Enforce MFA on G Suite once Ian accepts invite
- [ ] Confirm MFA on GitHub org
- [ ] Confirm MFA on Vercel
- [ ] Complete domain transfers (askflorence.health, askflorence.co)
- [ ] Set up MongoDB Atlas (Issue #46) with MFA
- [ ] Set up AWS account with MFA + root account lockdown
- [ ] Fill in MFA method column (authenticator app, hardware key, etc.)
- [ ] Review and update this document quarterly