Skip to content
AskFlorence
Main Navigation ArchitectureFlorence AIAgentsMembersAgent PlatformValidationInfrastructure

Appearance

Sidebar Navigation

Overview

Home

Glossary

System Architecture

Consumer & Agent Flow

Florence AI

Overview

Principles

Runtime

Tool surface

Adding a tool

Tool registry

Knowledge: SBC scenarios & CSR

Voice

Evals & observability

Provider risk & portability

Outage playbook

Roadmap

Build plan

Agents

Overview

Workflows & pain points

Members

Overview

Medicaid coverage gap

Carriers

Overview

Marketplaces

Overview

Agency

Overview

Regulations

Overview

Agent Platform

Overview

Auth Architecture

MongoDB Permissioning

Compliance Model

Data Models

Data Sources

Overview

CMS Marketplace API

CMS dependency map

PUF Data

State Subsidies

SBE Ingestion Playbook

SBE State Watchouts + Decisions

CA Phase C/D Playbook

NY Phase C/D Playbook

Validation

Overview

Methodology

APTC Formula

California 2026

New York 2026

CAPS Formula

Scenario Results

Infrastructure

Account Inventory

AWS Setup Runbook

AWS Organizations

CloudTrail

GuardDuty

Security Hub

Config

CloudFront + WAFv2

Data sources & ingest

Phase 4 DNS

Change Log

Vulnerability Management

MongoDB Setup

Access Control

Data Classification

Documentation Hosting

Post-deploy Smoke

Development

Preflight (local CI mirror)

Testing strategy

Compliance

Overview (auditor entry point)

SOC 2 Control Mapping

HIPAA Control Mapping

CMS EDE Appendix A Mapping

Risk Assessment

Encryption Policy

Data Retention Policy

Privacy Impact Assessment

Consent Capture & Versioning

Incident Response Plan

Access Control Policy

Marketing vs. Portal Analytics

Vendor / Subprocessor Register

Dependency Vulnerability Policy

BAA / Compliance Evidence

Compliance-Automation Integration

Compliance-Automation Vendor Evaluation

Penetration Test Reports

Architecture

Portal entry handoff

Mobile app strategy

Deferred architecture decisions

Session cookie architecture

Share flows

Decisions (ADRs)

Index

0001 — Atlas project isolation

0002 — Append-only audit log

0003 — Narrow-scoped Mongo users

0004 — Cross-cluster Atlas PrivateLink

0005 — Delayed-job architecture

0006 — Mongo user simplification

0007 — Terraform owns ECS task def

0008 — E2E testing strategy

0009 — Self-hosted analytics + observability (superseded)

0010 — PostHog HIPAA Cloud (supersedes 0009)

Runbooks

Security Incident Response

Break-Glass Root Login

Onboard Team Member

Offboard Team Member

Atlas user provisioning

Deploy via Terraform (ENG-277)

Rollback via Terraform (ENG-277)

S3 data bucket migration (planned Phase 11)

Access Reviews

2026-Q2 Review

Session log

Index

2026-04-23 — Phase 10 DNS cutover

2026-04-22 — Phase 8 prod AWS mirror

2026-04-22 — Phase 7 Atlas VPC peering

2026-04-22 — Phase 6 CloudFront + WAF

2026-04-21 — Phase 5 staging go-live

2026-04-17 — Atlas staging

Briefs

Index

Member portal plan (ENG-187)

2026-04-16/17 handoff

2026-04-17 Atlas handoff

System briefing (2026-04-17)

Creative AdBundance proposal brief

Creative AdBundance analytics brief

ElevenLabs RN integration research

Policies

Overview

On this page

Runbook — Onboard Team Member ​

SOC 2-grade onboarding checklist. Use for every new team member (founder, employee, contractor, advisor with system access).

Pre-arrival ​

OwnerAction
Hiring manager (Taha or Asad)Open a Linear / GitHub onboarding issue with role, start date, scope of access, and supervisor. Title: [Onboarding] <name> — <start-date>
Hiring managerDecide what level of access the role requires. Default to the smallest viable set; expand by request.
Hiring managerConfirm BAA-coverage scope. If the role will see PHI, confirm Asad-signed Workforce Confidentiality Agreement is in place before Day 0.
Compliance Liaison (Asad)Confirm employee acknowledgment of: Code of Conduct, Acceptable Use Policy (when written), Privacy Policy, and HIPAA Workforce Awareness brief. Even informal acknowledgment via email goes into the onboarding issue thread.

Day 0 — identity provisioning ​

Identity domainActionWhoVerify
Google WorkspaceCreate <firstname>@askflorencehealth.com user; assign appropriate role / OU; require MFA enrollment within 24hTaha (Cloud Identity admin)User logs in successfully + MFA enrolled in admin console
AWS SSOAssign appropriate permission set(s) per access-control policy at the right account(s)TahaUser can aws sso login + assume the permission set
GitHubAdd to askflorencehealth org with appropriate team membership (Engineers, Comms, etc.)TahaUser accepts invite + MFA enrolled (org requires it)
MongoDB AtlasIf role requires Atlas access: invite to Atlas org with Project Read Only or higher role per scope; explicit MFA requiredTaha (Atlas org owner)User accepts invite + MFA enrolled in Atlas
HubSpotIf role requires CRM access: assign appropriate roleIan (HubSpot admin)User logs in + MFA enrolled
Linear / GitHub ProjectsAdd to workspace + project boards relevant to roleHiring managerUser can view + create issues
Local environments / dev shellsIf engineering: pair on .env.local setup using the team password manager; never email credentialsEngineering ResponderUser can run dev locally

MFA enrollment must complete before any access is granted. If hardware MFA is in place (post #67), enrolling the YubiKey is part of Day 0.

Day 1-7 — context + acknowledgment ​

OwnerAction
Hiring managerWalk through CLAUDE.md + AGENTS.md + project board + active issues
Hiring managerTour the docs site — especially docs/security-compliance/ (this directory) so the new member knows where policies live
Compliance LiaisonWalk through Incident Response Plan — who pages whom, when, why
Compliance LiaisonConfirm BAA Workforce Awareness brief acknowledged: HIPAA = PHI handling rules; do not paste PHI into Claude, Slack, iMessage, etc.; secret-handling rules per CLAUDE.md Security rules section
Hiring managerIf role requires Atlas write access: walk through Atlas user provisioning runbook and the narrow-scoped-user pattern (ADR 0003)
Engineering ResponderIf engineering: pair on first PR to validate the local dev + CI flow

Record-keeping ​

Update these files within 5 business days of Day 0:

  1. docs/infrastructure/atlas-access-matrix.md — if Atlas user added (CI sync from infra/atlas/access-matrix.ts; edit the source TS file + push)
  2. Quarterly access review file at docs/infrastructure/access-reviews/<year>-Q<n>-review.md — add row to the "Joiners this quarter" section
  3. Vendor / subprocessor register — no change unless the role triggers a new vendor adoption
  4. agent_audit_log collection — once Phase 5 lands, write a row per identity-domain grant. Until Phase 5: the Linear / GitHub onboarding issue + access-review row is the audit artifact.

Onboarding-issue closeout ​

The onboarding Linear / GitHub issue closes when:

  • All Day-0 access provisioning verified
  • All Day-1-7 acknowledgments captured in the issue thread
  • All record-keeping updates committed
  • The hiring manager confirms the new member is operating successfully

Special cases ​

Contractors ​

Same Day-0 procedure. Add:

  • Time-bound access — Atlas + AWS SSO assignment specifies an expected end date. Quarterly access review confirms the assignment is still needed; revoke at end date if no extension.
  • Contractor agreement on file before any production data flows.

Advisors with read-only access ​

Typically:

  • AWS SSO security_audit permission set, 4h sessions
  • Atlas: Project Read Only role on the relevant project
  • GitHub: read-only org membership

No Atlas write access. No HubSpot access. No production secrets.

Founders / equity-holders ​

Standard procedure plus:

  • Cap-table-related access (Carta, etc.) handled by Asad separately from this runbook
  • Insurance enrollment per benefits onboarding

Reference ​

  • Access Control Policy
  • Offboard Team Member runbook
  • Atlas user provisioning
  • Vendor / Subprocessor Register
  • Privacy Impact Assessment — what PII the new member will see + how to handle it
Pager
Previous pageBreak-Glass Root Login
Next pageOffboard Team Member

AskFlorence Internal Documentation. Not for public distribution.

AskFlorence

Internal Documentation

Access restricted. Not for public distribution.