Information Asset Register — Africa Watch Admin

Africa Watch — Savvy Ventures Limited · Last reviewed: · Annex A.8 — Asset Management

Classification Legend

Confidential

PII, credentials, payment data. Restricted to named individuals. Must be encrypted at rest and in transit. Retained only as long as necessary.

Internal

Platform source code, configuration, infrastructure details. Internal team only. Not to be shared externally without authorisation.

Public

Marketing content, public API responses, static assets. No access restrictions. May be freely distributed.

Asset Register

Asset	Type	Classification	Owner	Location	Retention Period	Disposal Method	Last Reviewed
africa-watch.db	Database	Confidential	Platform Engineering	OCI Block Storage (encrypted)	Active + 90 days post-deletion	Secure delete + OCI volume wipe	2026-05
User PII (email, username)	Personal Data	Confidential	Security Lead	africa-watch.db	Active + 90 days	Anonymised on deletion	2026-05
JWT signing secret	Credential	Confidential	Platform Engineering	OCI environment variable	Rotate on suspected breach	Overwrite env var	2026-05
Stripe API keys	Credential	Confidential	Platform Engineering	OCI environment variable	Rotate annually or on breach	Revoke via Stripe dashboard	2026-05
Brevo (Sendinblue) API key	Credential	Confidential	Platform Engineering	OCI environment variable	Rotate annually	Revoke via Brevo dashboard	2026-05
Tavily / OpenRouter API keys	Credential	Confidential	Platform Engineering	OCI environment variable	Rotate annually	Revoke via provider dashboard	2026-05
Platform source code	Source Code	Internal	Platform Engineering	GitHub (private repo)	Indefinite	N/A	2026-05
audit.log	Log	Internal	Platform Engineering	OCI filesystem	30 days rolling	Log rotation (overwrite)	2026-05
Request logs (PM2 stdout)	Log	Internal	Platform Engineering	OCI filesystem	Until restart	Lost on restart (known gap — A.12)	2026-05
Stripe customer / invoice data	Payment Record	Confidential	Operations	Stripe (PCI-DSS)	Per Stripe retention policy	Managed by Stripe	2026-05
User contact data (Brevo)	Marketing Data	Confidential	Operations	Brevo platform	Active subscribers	Unsubscribe / delete via Brevo	2026-05
SSH private key (OCI access)	Credential	Confidential	Platform Engineering	Secure local storage (not in repo)	Rotate annually	Revoke in OCI console	2026-05
Africa Watch logo, static assets	Static Asset	Public	Platform Engineering	GitHub + OCI filesystem	Indefinite	N/A	2026-05

Data Retention Summary

Data Type	Retention Period	Legal Basis
User accounts (email, username, watchlist)	Active + 90 days post-deletion	Contract
Security & audit logs	30 days rolling	Legitimate Interest (security)
Invoices / billing records	7 years	Legal obligation (tax / accounting)
Backup snapshots (OCI Object Storage)	7 days rolling	Operational
LLM query logs	Not stored	N/A — queries not persisted by design

Media Handling Policy

Data at rest: All data stored on OCI Block Storage is encrypted using AES-256 (Oracle-managed encryption keys). Database backups are stored on OCI Object Storage which applies server-side encryption by default.
Data in transit: All data transmitted between users and the platform is encrypted with TLS 1.2+ (HSTS enforced).
No portable media: No Africa Watch data is stored on portable media (USB drives, external hard drives, optical discs). This prohibition applies to all personnel with access to Africa Watch systems.
Developer workstations: Workstations used to access production systems or source code must use full-disk encryption. Access to production server is via SSH key authentication only.
Disposal: When retiring cloud storage volumes, OCI volume wipe procedures are followed. Database files are securely deleted before volume release. Credentials (API keys, secrets) are revoked via provider dashboards prior to disposal.
Backups: Database backups are encrypted in OCI Object Storage. Backup integrity is verified quarterly as part of the BCP restoration drill (see BCP policy).