Purpose. Identifies the information and associated assets within the ISMS scope,
their owners, classification and criticality (ISO/IEC 27001:2022 A.5.9). This
inventory is the input to the Risk Assessment (ISMS-DOC-06-2/06-3): risks are
assessed against these assets.
Status: DRAFT. Assets are drawn from Soon's real environment. Several owners and
a few vendor/residency details are marked TODO(owner) and must be confirmed before
approval. Review quarterly and on any significant infrastructure change.
Classification scale: Public · Internal · Confidential · Restricted.
Criticality (C/I/A): H = high, M = medium, L = low for Confidentiality / Integrity
/ Availability.
⚠️ Flags for the owner to resolve (important)
- Multi-cloud vs "entirely AWS" customer statement. Assets show AWS (prod) +
Azure (dev) + GCP (Compute, Storage, Secret Manager). The customer-facing
Security Overview says Soon is "hosted
entirely on Amazon Web Services."
TODO(owner): reconcile — either correct the
Security Overview or document Azure/GCP as in-scope with their regions, especially
for EU data residency (GDPR) claims.
- Customer data outside prod?
TODO(owner): confirm dev/test on Azure/GCP use
masked/synthetic data only (links to A.8.11 Data Masking, A.8.33 Test
information). If real customer data touches dev, residency and access change.
- AI tooling processes source code. Cursor, ChatGPT, Gemini, Grok and OpenAI are
in use. Source code / data sent to these is a confidentiality + sub-processor
concern.
TODO(owner): define acceptable use in the AI-tooling section of the
Acceptable Use / Secure Development policies; confirm no secrets or customer PII are
pasted into consumer AI tools.
- BYOD / privately-owned hardware is the endpoint reality (laptops, phones,
home internet). Central risk for a remote company — driven by the BYOD, Mobile
Device and Remote Working policies.
- "Knab" is a high-value dedicated tenant (separate RDS/DB/environment). Treat as
high-profile in the risk assessment.
| ID |
Asset |
Description |
Owner |
Class. |
C/I/A |
| INF-01 |
Customer workforce & PII |
Employee names, emails, schedules, leave, remote-work & optional location data processed for customers (Soon = data processor) |
TODO(owner) |
Restricted |
H/H/H |
| INF-02 |
Scheduling & forecasting data |
Operational planning, auto-scheduling, forecasting datasets |
TODO(owner) |
Confidential |
M/H/H |
| INF-03 |
Customer account & config data |
Tenant settings, roles, integrations config |
TODO(owner) |
Confidential |
M/H/M |
| INF-04 |
Authentication & secrets |
Credentials, API keys, tokens, signing keys (in GCP Secret Manager / AWS) |
TODO(owner) |
Restricted |
H/H/H |
| INF-05 |
Payment & billing data |
Subscription/billing records; card data handled by Stripe (Soon stores no PAN) |
TODO(owner) |
Restricted |
H/H/M |
| INF-06 |
Source code & IaC |
Soon application + infrastructure code (GitHub / Bitbucket) |
Eng lead (TODO) |
Confidential |
H/H/M |
| INF-07 |
Business & financial records |
Contracts, finance, HR records |
TODO(owner) |
Confidential |
M/M/M |
| INF-08 |
ISMS documentation & records |
This repo; policies, risk, audit, evidence references |
Olaf Jacobson |
Protected |
M/H/M |
| INF-09 |
Logs & monitoring data |
Application/infra logs (CloudWatch, Sentry) — may contain personal data |
TODO(owner) |
Confidential |
M/M/M |
B. Application & service assets (Soon-built)
| ID |
Asset |
Description |
Owner |
Class. |
C/I/A |
| SVC-01 |
soon-server (Production) |
Core WFM backend (prod) |
Eng lead (TODO) |
Confidential |
H/H/H |
| SVC-02 |
soon-server (Knab) |
Dedicated environment for Knab tenant |
Eng lead (TODO) |
Restricted |
H/H/H |
| SVC-03 |
frontend |
Customer-facing web app (hosted on Netlify) |
TODO(owner) |
Internal |
M/H/H |
| SVC-04 |
soon-integrations |
Integration services to third-party platforms |
TODO(owner) |
Confidential |
M/H/M |
| SVC-05 |
soon-connect |
Connectivity service |
TODO(owner) |
Confidential |
M/H/M |
| SVC-06 |
solver / soon-intrasolver |
Auto-scheduling / optimisation engines |
TODO(owner) |
Confidential |
M/H/M |
| SVC-07 |
serverless-subscription |
Subscription/billing logic (serverless) |
TODO(owner) |
Confidential |
M/H/M |
| SVC-08 |
intercron |
Scheduled job runner |
TODO(owner) |
Internal |
L/M/M |
| SVC-09 |
redis |
Cache / queue |
TODO(owner) |
Internal |
M/M/M |
| SVC-10 |
soondb (production) / knab-soondb |
Application databases (per tenant) |
TODO(owner) |
Restricted |
H/H/H |
C. Infrastructure & cloud assets
| ID |
Asset |
Description |
Owner |
Class. |
C/I/A |
| CLD-01 |
AWS account (eu-west-1) |
Primary production cloud: Fargate, ECS, ECR, Lambda, S3, SES, CloudWatch |
TODO(owner) |
Restricted |
H/H/H |
| CLD-02 |
AWS RDS MySQL |
rds-soon-soon-prd, rds-knab-soon-prd — production databases |
TODO(owner) |
Restricted |
H/H/H |
| CLD-03 |
Azure |
soon-server dev, soon-server-db (development environment) |
TODO(owner) |
Confidential |
M/M/M |
| CLD-04 |
GCP |
Compute Engine, Cloud Storage, Secret Manager |
TODO(owner) |
Restricted |
H/H/M |
| CLD-05 |
Netlify |
Frontend hosting/CDN |
TODO(owner) |
Internal |
L/M/H |
D. Third-party services & sub-processors (integrations / "app uses")
These are supplier/cloud assets — manage under A.5.19–A.5.23. TODO(owner): confirm
which process customer personal data (sub-processors needing a DPA) and the data
residency of each.
| ID |
Asset |
Purpose |
Personal data? |
Class. |
| SUP-01 |
Stripe |
Payments / subscriptions (PCI DSS) |
Billing PII |
Confidential |
| SUP-02 |
WorkOS |
Enterprise SSO/SAML |
Auth identifiers |
Confidential |
| SUP-03 |
Intercom |
Customer support / messaging |
Yes |
Confidential |
| SUP-04 |
Zendesk |
Support ticketing |
Yes (TODO confirm in-use) |
Confidential |
| SUP-05 |
Cloudinary |
Image/media hosting |
Possibly |
Internal |
| SUP-06 |
OpenAI |
AI features in product |
TODO(owner) confirm data sent |
Confidential |
| SUP-07 |
Sentry |
Error tracking |
Possibly (in stack traces) |
Confidential |
| SUP-08 |
Microsoft Clarity |
Product analytics |
Behavioural |
Internal |
| SUP-09 |
Databox |
BI / reporting |
Aggregated |
Internal |
| SUP-10 |
Aikido (Akido) |
Security / vulnerability scanning |
No |
Internal |
| SUP-11 |
Google / Outlook Calendar |
Calendar integrations |
Yes |
Confidential |
| SUP-12 |
Unexus / Genesys / Evolve |
Contact-centre / telephony integrations |
Customer-dependent |
Confidential |
| SUP-13 |
Google Workspace (Drive/Docs/Sheets) |
Internal collaboration & documents |
Yes |
Confidential |
| SUP-14 |
Slack |
Internal communication |
Internal |
Confidential |
| SUP-15 |
GitHub / Bitbucket |
Source control + CI/CD |
Source code |
Confidential |
| SUP-16 |
Figma / Miro / Loom / Hex |
Design, whiteboarding, video, data notebooks |
Varies |
Internal |
E. End-user / endpoint assets
| ID |
Asset |
Description |
Owner |
Class. |
C/I/A |
| END-01 |
Laptops / desktops |
Privately-owned (BYOD); used for all work |
Each user |
Confidential |
M/M/M |
| END-02 |
Mobile devices |
Privately-owned phones/tablets (MFA, mail, Slack) |
Each user |
Confidential |
M/M/M |
| END-03 |
Home internet connections |
Personal ISPs used for remote work |
Each user |
n/a |
L/L/M |
| END-04 |
MFA / authenticators |
Google Authenticator etc. for account protection |
Each user |
Restricted |
H/M/M |
F. People & knowledge
| ID |
Asset |
Description |
Class. |
| PPL-01 |
Team members / contractors |
Founders, engineers, contractors (ZZP) — hold knowledge & access |
Internal |
| PPL-02 |
Andrea Cardinali (external) |
Security consultant (CyberSquad) with repo access |
Internal |
| PPL-03 |
Key-person knowledge |
Undocumented operational know-how (single points of knowledge) |
Confidential |
Change log
| Version |
Date |
Author |
Comments |
| 0.1 |
2026-06-25 |
Andrea Cardinali / ISMS |
First draft from Soon's real asset list; owners and several vendor/residency details flagged TODO(owner). |