Supplier Risk — Africa Watch

Supplier Register

ID	Supplier	Service	Tier	Inherent Risk	Status	Owner	Last Review
SUP-001	Oracle Cloud	Cloud infrastructure — compute, networking, storage	Critical	High	Active	DevOps/SRE	2026-05
SUP-002	OpenRouter	LLM API gateway — intelligence briefing generation	Critical	High	Active	Backend Eng.	2026-05
SUP-003	Brevo (Sendinblue)	Transactional email — MFA codes, user notifications	Critical	Medium	Active	Backend Eng.	2026-05
SUP-004	Tavily	News search API — primary event data ingestion	High	Medium	Active	Data/Intel Lead	2026-05
SUP-005	GDELT Project	Open source geopolitical event database — fallback data source	Medium	Low	Active	Data/Intel Lead	2026-05
SUP-006	YouTube Data API	Video content search — social signal enrichment	Medium	Low	Active	Data/Intel Lead	2026-05
SUP-007	Stripe	Payment processing — subscription billing	High	Medium	Active	CISO / Founder	2026-05
SUP-008	GitHub	Source code hosting, CI/CD pipeline (Actions)	High	Low	Active	Engineering Lead	2026-05
SUP-009	Namecheap / DNS	Domain registrar and DNS for africaiswatching.org	Critical	Low	Active	DevOps/SRE	2026-05

Supplier

Service

Tier

Inherent Risk

Status

Owner

Last Review

Notes

SUP-001

Oracle Cloud

Cloud infrastructure — compute, networking, storage

Critical

High

Active

DevOps/SRE

2026-05

SUP-002

OpenRouter

LLM API gateway — intelligence briefing generation

Critical

High

Active

Backend Eng.

2026-05

SUP-003

Brevo (Sendinblue)

Transactional email — MFA codes, user notifications

Critical

Medium

Active

Backend Eng.

2026-05

SUP-004

Tavily

News search API — primary event data ingestion

High

Medium

Active

Data/Intel Lead

2026-05

SUP-005

GDELT Project

Open source geopolitical event database — fallback data source

Medium

Low

Active

Data/Intel Lead

2026-05

SUP-006

YouTube Data API

Video content search — social signal enrichment

Medium

Low

Active

Data/Intel Lead

2026-05

SUP-007

Stripe

Payment processing — subscription billing

High

Medium

Active

CISO / Founder

2026-05

SUP-008

GitHub

Source code hosting, CI/CD pipeline (Actions)

High

Low

Active

Engineering Lead

2026-05

SUP-009

Namecheap / DNS

Domain registrar and DNS for africaiswatching.org

Critical

Low

Active

DevOps/SRE

2026-05

Detailed Risk Assessments

SUP-001 · Oracle Cloud Infrastructure High Risk Critical Tier

Risk Description

The entire platform runs on a single Oracle Cloud Compute instance (129.213.103.188). Any OCI outage, zone failure, account suspension, or billing lapse would take Africa Watch fully offline.

Risk Factors

Single instance — no redundancy or failover
Platform is in Always Free tier; resource limits could be changed by Oracle with notice
No automated snapshot or AMI-equivalent backup of the compute instance
Oracle Cloud less widely used than AWS/GCP — smaller ecosystem of support resources

Current Controls

Daily SQLite backup to /opt/africa-watch/backups/ with 14-day retention (CTL-017)
Full escrow bundle script (scripts/escrow-backup.sh) for complete server recovery
PM2 process manager with auto-restart on crash
Docs: oracle-recovery-checklist.md in repository

Contingency Plan: If OCI instance fails, provision a new Ubuntu VM on any cloud provider, clone repo from GitHub, restore database from latest backup, update DNS A record. Target RTO: 4 hours. Run backup-verify.js to confirm backup integrity monthly.

SUP-002 · OpenRouter (LLM Gateway) High Risk Critical Tier

Risk Description

OpenRouter provides access to multiple LLM providers (Claude, GPT-4, Gemini) through a single API. Outage, rate limiting, pricing changes, or model deprecation directly impacts the intelligence briefing feature — a core product differentiator.

Risk Factors

Single API key — no rotation or backup key
Dependence on upstream model providers (Anthropic, OpenAI) beyond OpenRouter's control
Prompt injection via malicious article content could degrade output quality
Model output quality varies by model version — silent degradation is hard to detect
Usage costs scale with feature adoption

Current Controls

In-memory cache (_explainCache) reduces API calls for repeated analysis
sanitizePromptInput() blocks known injection patterns (CTL-009)
Graceful degradation: if LLM call fails, UI shows "Analysis unavailable" — feed continues working
Model specified in config — can switch model without code change

Contingency Plan: Switch OPENROUTER_KEY to a direct Anthropic API key (claude-sonnet-4-6) — llm-analysis.js supports this. If OpenRouter is down: disable the /explain endpoint temporarily via feature flag. Alternative: cache last-known briefings and surface as "last updated X hours ago".

SUP-003 · Brevo (Transactional Email) Medium Risk Critical Tier

Risk Description

Brevo SMTP (smtp-relay.brevo.com) delivers MFA codes and account notifications. If email delivery fails, users cannot complete login via MFA — effectively a platform lockout.

Risk Factors

MFA delivery failure = users cannot log in (service disruption)
Brevo free tier has daily sending limits
Deliverability issues (spam filtering) could silently block MFA codes
Single SMTP configuration — no fallback provider configured

Current Controls

Switched from Outlook SMTP to Brevo May 2026 — improved reliability
MFA codes expire after 10 minutes — reduces replay window
Admin can bypass MFA for emergency access (documented in HANDOVER.md)

Contingency Plan: If Brevo fails: switch SMTP_HOST to smtp.sendgrid.net (SendGrid) — requires new API key. Admin can temporarily disable MFA requirement for login. Consider adding a secondary SMTP provider as warm standby. Target switch time: 30 minutes.

SUP-004 · Tavily Search API Medium Risk High Tier

Risk Description

Tavily provides the primary news and web search results that feed the Live Incident Feed and social search. Outage or API changes would degrade data freshness.

Risk Factors

Primary data source — no Tavily = no new events in feed
Rate limits on the current plan could be hit during high-activity periods (e.g. major African security event)
Result quality and coverage of African news could vary

Current Controls

GDELT (SUP-005) serves as a fallback data source
topicScore() and isGeoRelevant() filters prevent bad data from being displayed even during degraded API responses
In-memory event cache means the feed doesn't go empty immediately on API failure

Contingency Plan: If Tavily is unavailable: GDELT fallback activates automatically. Monitor dropped_geo/topic counters for quality degradation. For extended outage, consider NewsAPI or Bing News Search API as alternate source — both require only a key swap.

SUP-007 · Stripe (Payments) Medium Risk High Tier

Risk Description

Stripe handles subscription billing. Outage doesn't affect platform access (access is JWT-controlled) but prevents new subscriptions and renewals.

Risk Factors

Revenue impact during outage — no new subscriptions can be processed
Stripe account requires KYC/verification — suspension risk if flagged
Webhook delivery failures could result in subscriptions not being activated
PCI DSS scope: Stripe handles card data directly (no card data touches Africa Watch servers)

Current Controls

Stripe Checkout hosted pages — no card data on Africa Watch servers (PCI scope minimised)
WEBHOOK_SIGNING_KEY validates all incoming Stripe webhook events (CTL-010)
Manual invoice creation available via /admin/invoices as fallback for offline sales

Contingency Plan: If Stripe is unavailable: direct bank transfer + manual invoice workflow. Customers can be granted access manually via admin panel while payment is arranged. For webhook failures: Stripe retries automatically for 72h; manual reconciliation via Stripe dashboard.

SUP-009 · Domain & DNS (Namecheap) Low Risk Critical Tier

Risk Description

africaiswatching.org is registered with Namecheap. DNS failure or domain expiry would make the platform unreachable even if the server is healthy.

Risk Factors

Domain expiry — if auto-renew fails, platform goes offline
DNS propagation delays if A record needs updating (OCI IP change)
Account takeover of Namecheap account = full domain hijack

Current Controls

Auto-renew enabled on Namecheap — set calendar reminder 30 days before expiry
Domain registrar account protected with strong password + 2FA
A record documented in HANDOVER.md for disaster recovery

Contingency Plan: If DNS fails: update A record to new server IP (takes up to 48h to propagate globally). Emergency: communicate direct IP access to key users while DNS resolves. Domain expiry: renew immediately — Namecheap provides 30-day grace period.

Review Schedule & Actions

Scheduled Reviews & Open Actions

Supplier	Review Type	Due Date	Owner
SUP-001 Oracle Cloud	Disaster recovery test — restore from backup	2026-07-01	DevOps/SRE
SUP-002 OpenRouter	Confirm direct Anthropic API fallback still works	2026-07-01	Backend Eng.
SUP-003 Brevo	Test SendGrid failover SMTP configuration	2026-07-15	Backend Eng.
SUP-007 Stripe	Review webhook delivery success rate in Stripe dashboard	2026-06-30	CISO / Founder
SUP-009 DNS	Confirm domain auto-renew active; check expiry date	2026-06-30	DevOps/SRE
All suppliers	Annual full register review — update risk ratings	2027-05-01	CISO / Founder

Risk Rating Methodology

Inherent risk is rated on two axes: Likelihood (probability of supplier disruption) × Impact (consequence to Africa Watch operations).

Rating	Likelihood	Impact	Review Cadence
High	Likely within 12 months	Platform outage or data loss	Quarterly
Medium	Possible within 12 months	Degraded functionality	Semi-annual
Low	Unlikely within 12 months	Minor inconvenience	Annual

Tier definitions: Critical = no viable short-term alternative; High = alternative exists but requires significant effort; Medium = multiple alternatives readily available.

Supplier Risk Register

Supplier Register

Detailed Risk Assessments

Risk Description

Risk Factors

Current Controls

Risk Description

Risk Factors

Current Controls

Risk Description

Risk Factors

Current Controls

Risk Description

Risk Factors

Current Controls

Risk Description

Risk Factors

Current Controls

Risk Description

Risk Factors

Current Controls

Review Schedule & Actions

Risk Rating Methodology