Information Asset Register¶
Document ID: REG-001 Document owner: Jan Marc Castlunger (ISO) Classification: Confidential Version: 1.0 Last updated: March 2026 Next review: March 2027 Frameworks: ISO 27001 (A.5.9, A.5.12) | SOC 2 (CC6.1)
Classification Scheme¶
| Level | Description | Examples |
|---|---|---|
| 🔴 Top Secret | Highest sensitivity — breach would cause severe harm | Government ID images, private keys |
| 🟡 Confidential | Sensitive business/personal data | OCR data, API keys, source code, HR data |
| 🔵 Internal | Non-public operational information | Infrastructure configs, internal docs |
| ⚪ Public | Approved for external disclosure | Public API docs, marketing |
See also: Data Classification Policy
Asset Register¶
| ID | Asset | Type | Classification | Owner | Location | Notes |
|---|---|---|---|---|---|---|
| A01 | Government ID scan images | Data | 🔴 Top Secret | Jan Marc Castlunger (ISO) | Azure — transient, not persisted | Processed in memory only; never written to disk |
| A02 | Extracted OCR data (name, DOB, ID no.) | Data | 🟡 Confidential | Jan Marc Castlunger (ISO) | Azure — API response only | Returned to customer; not retained by Quick-ID |
| A03 | Customer API keys & credentials | Data | 🟡 Confidential | Jan Marc Castlunger (ISO) | Azure Key Vault | Customer-managed rotation; never stored in code |
| A04 | Employee personal data (HR records) | Data | 🟡 Confidential | Sebastian Windeck (DPO) | Google Workspace | GDPR Article 9 data minimisation applies |
| A05 | Quick-ID source code & algorithms | Intellectual Property | 🟡 Confidential | Sebastian Windeck (CTO) | GitHub (private repos) | Branch protection + MFA enforced |
| A06 | Azure cloud infrastructure | Infrastructure | 🔵 Internal | Jan Marc Castlunger (ISO) | Microsoft Azure EU | Security Center active; RBAC enforced |
| A07 | GitHub repositories | Infrastructure | 🔵 Internal | Sebastian Windeck (CTO) | GitHub.com | Private; MFA required; SAST on all PRs |
| A08 | Google Workspace | System | 🔵 Internal | Jan Marc Castlunger (ISO) | Google Cloud EU | MFA enforced; DPA signed |
| A09 | Customer contracts & DPAs | Documentation | 🟡 Confidential | Sebastian Windeck (DPO) | Google Drive | Access restricted to DPO + CEO |
| A10 | ISMS documentation | Documentation | 🟡 Confidential | Jan Marc Castlunger (ISO) | GitHub (this repo) + controlled copies | Version-controlled; access logged |
| A11 | Azure monitoring & log data | Data | 🔵 Internal | Jan Marc Castlunger (ISO) | Azure Monitor / AKS rolling logs | 30-day rolling retention; extension to 90+ days planned Q2 2026 |
| A12 | SSL/TLS certificates & private keys | Data | 🔴 Top Secret | Sebastian Windeck (CTO) | Azure Key Vault | Auto-rotation enabled; expiry monitoring active |
| A13 | Customer error images (debugging) | Data | 🟡 Confidential | Sebastian Windeck (CTO) | Email (Google Workspace) | Customer-consented; max 7-day retention; deleted after processing |
| A14 | Quick-ID API (app.quick-id.com) | System | 🔵 Internal | Sebastian Windeck (CTO) | Azure AKS (Germany West Central) | Swagger docs behind login; status page at /health/ |
| A15 | Azure Database for PostgreSQL | Infrastructure | 🟡 Confidential | Sebastian Windeck (CTO) | Azure Germany West Central | Managed service; automated backups; geo-redundant |
| A16 | GDPR Art. 30 Processing Register | Documentation | 🟡 Confidential | Sebastian Windeck (DPO) | Google Drive | Verzeichnis von Verarbeitungstätigkeiten |
Review Log¶
| Date | Reviewer | Changes |
|---|---|---|
| March 2026 | Jan Marc Castlunger (ISO) | Initial version — 12 assets registered |
| March 2026 | Sebastian Windeck (DPO) | Added A13 (error images), A14 (API system); updated owners |
| March 2026 | Sebastian Windeck (CTO) | Added A15 (PostgreSQL), A16 (Art. 30 register); fixed A03 key rotation, A11 log retention |
How to add a new asset
- Add a new row to the table above with the next available ID (e.g. A13)
- Assign a classification level using the scheme above
- Assign an owner and confirm the storage location
- Commit with message:
docs: add asset A13 - [asset name] - Update the review log