Media Inventory Logs
Effective: March 17, 2026 · DCF-388 · ISO 27001 A.5.9 / A.7.10
1. Purpose
This document maintains a complete inventory of all information assets and media used by H33.ai, Inc. in accordance with ISO 27001:2022 control A.5.9 (Inventory of information and other associated assets) and A.7.10 (Storage media). This inventory supports SOC 2 Trust Services Criteria and HIPAA Security Rule requirements for asset management (45 CFR §164.310(d)(1)).
H33.ai operates a fully cloud-based, remote-first infrastructure. No physical removable media (USB drives, external hard drives, optical discs, backup tapes) is used to store, process, or transmit sensitive data, customer data, or protected health information (PHI/ePHI). All information assets are cloud-hosted.
2. Inventory Summary
| Total Physical Media | 0 — None |
| Total Cloud/Digital Assets | 27 registered |
| Removable Media Permitted | Prohibited |
| Last Full Review | March 17, 2026 |
| Next Scheduled Review | June 2026 (quarterly) |
| Inventory Owner | Eric Beans, CEO/CISO |
3. Cloud Infrastructure Assets
Production compute, storage, and database resources hosted on Amazon Web Services (AWS).
| Asset ID | Asset Name | Type | Classification | Location | Custodian | Status |
|---|---|---|---|---|---|---|
| AWS-001 | H33 Production API (c8g.metal-48xl) | Compute | Confidential | AWS us-east-1 | Eric Beans | Active |
| AWS-002 | RDS PostgreSQL (z101-postgres-prod) | Database | Confidential | AWS us-east-1 | Eric Beans | Active |
| AWS-003 | ElastiCache Redis (l100-redis-prod) | Cache | Confidential | AWS us-east-1 | Eric Beans | Active |
| AWS-004 | Auth1 Elastic Beanstalk (z101-auth-prod) | Application | Confidential | AWS us-east-1 | Eric Beans | Active |
| AWS-005 | CloudFront CDN Distribution | CDN | Public | AWS Global | Eric Beans | Active |
| AWS-006 | S3 Buckets (logs, backups, artifacts) | Storage | Confidential | AWS us-east-1 | Eric Beans | Active |
| AWS-007 | AWS Secrets Manager | Key Store | Restricted | AWS us-east-1 | Eric Beans | Active |
| AWS-008 | AWS KMS (encryption keys) | Key Store | Restricted | AWS us-east-1 | Eric Beans | Active |
| AWS-009 | CloudTrail (audit logs) | Logging | Confidential | AWS us-east-1 | Eric Beans | Active |
| AWS-010 | CloudWatch Logs | Logging | Confidential | AWS us-east-1 | Eric Beans | Active |
| AWS-011 | ACM TLS Certificates | Certificate | Internal | AWS us-east-1 | Eric Beans | Active |
| AWS-012 | EC2 SSH Key Pairs | Key | Restricted | AWS us-east-1 | Eric Beans | Active |
4. SaaS and Third-Party Service Assets
Cloud services used for development, monitoring, compliance, and business operations.
| Asset ID | Asset Name | Type | Classification | Data Stored | BAA/DPA | Status |
|---|---|---|---|---|---|---|
| SVC-001 | GitLab (source control & CI/CD) | DevOps | Confidential | Source code, CI configs | DPA | Active |
| SVC-002 | DataDog (monitoring) | Observability | Internal | Metrics, logs, traces | DPA | Active |
| SVC-003 | Drata (compliance) | GRC | Confidential | Policies, evidence, controls | BAA + DPA | Active |
| SVC-004 | Microsoft 365 (email, docs) | Productivity | Confidential | Email, documents | BAA (HIPAA pkg) | Active |
| SVC-005 | Netlify (static hosting / CDN) | Hosting | Public | Static website files | DPA | Active |
| SVC-006 | Stripe (payments) | Financial | Restricted | Payment data (PCI scope) | DPA | Active |
| SVC-007 | Twilio (SMS/OTP) | Communications | Internal | Phone numbers, OTP logs | DPA | Active |
5. Cryptographic Key Assets
Inventory of all cryptographic key material used in H33’s post-quantum authentication pipeline.
| Asset ID | Key Type | Algorithm | Storage | Rotation | Status |
|---|---|---|---|---|---|
| KEY-001 | FHE Public/Secret Key Pairs | BFV (N=4096, 56-bit Q) | Process memory (ephemeral) | Per session | Active |
| KEY-002 | Dilithium Signing Keys | ML-DSA (FIPS 204) | AWS Secrets Manager | Annual | Active |
| KEY-003 | Kyber Key Exchange Keys | ML-KEM (FIPS 203) | Ephemeral (per session) | Per session | Active |
| KEY-004 | TLS Certificates | RSA-2048 / ECDSA | AWS ACM | Auto-renewed | Active |
| KEY-005 | JWT Signing Keys (Auth1) | RS256 | AWS Secrets Manager | Annual | Active |
| KEY-006 | Database Encryption Keys | AES-256 | AWS KMS (RDS managed) | AWS managed | Active |
| KEY-007 | S3 Encryption Keys | AES-256 (SSE-S3/SSE-KMS) | AWS KMS | AWS managed | Active |
| KEY-008 | SSH Key Pairs | Ed25519 | IAM / local (encrypted) | Annual | Active |
6. Endpoint Assets
Employee endpoint devices used to access H33 systems. All endpoints are subject to the Endpoint Security Policy.
| Asset ID | Device Type | Owner | Disk Encryption | MDM | Status |
|---|---|---|---|---|---|
| EP-001 | MacBook Pro (development) | Eric Beans | FileVault (AES-256-XTS) | Microsoft Defender for Endpoint | Active |
7. Physical Media Inventory
H33.ai does not use physical removable media for any business purpose involving sensitive data, customer data, or PHI. This section is maintained to provide explicit evidence of compliance.
| Media Type | Quantity | Contains Sensitive Data | Status |
|---|---|---|---|
| USB Flash Drives | 0 | N/A | Prohibited |
| External Hard Drives | 0 | N/A | Prohibited |
| Optical Discs (CD/DVD) | 0 | N/A | Prohibited |
| Backup Tapes | 0 | N/A | Prohibited |
| Printed Documents (PHI/ePHI) | 0 | N/A | Prohibited |
| Mobile Devices (company-issued) | 0 | N/A | None issued |
8. Data Classification Levels
All assets in this inventory are classified according to H33’s Information Classification Policy:
| Restricted | Cryptographic keys, credentials, secret key material. Access limited to CEO/CISO and automated systems only. Never stored on removable media. |
| Confidential | Source code, customer data, PHI/ePHI, authentication logs, database contents. Access controlled by IAM policies and least privilege. Encrypted at rest and in transit. |
| Internal | Operational metrics, monitoring data, non-sensitive communications. Available to authorized workforce members. |
| Public | Website content, documentation, blog posts, marketing materials. No access restrictions. |
9. Inventory Management Process
- New Assets: Any new information asset (cloud service, SaaS subscription, endpoint device, or cryptographic key type) must be registered in this inventory before deployment. The CISO must approve the addition and assign a classification level.
- Asset Changes: Changes to asset classification, location, or custodian must be documented within 5 business days. Changes are tracked via version history below.
- Asset Decommissioning: Decommissioned assets are marked as “Decommissioned” with the date and method of secure disposal (e.g., AWS resource deletion, key destruction, secure device wipe).
- Quarterly Review: The complete inventory is reviewed quarterly by the CISO to verify accuracy, identify unauthorized assets, and confirm classification levels remain appropriate.
- Automated Discovery: AWS Config and DataDog infrastructure monitoring provide continuous automated discovery of cloud assets. Any unregistered asset triggers an alert for investigation.
10. Media Disposal Records
No physical media disposal has occurred, as H33.ai does not use physical media for sensitive data. Cloud resource disposal is managed through AWS secure deletion procedures with cryptographic erasure.
| Date | Asset | Method | Verified By |
|---|---|---|---|
| No disposal records — no physical media in use | |||
11. Revision History
| Version | Date | Author | Changes |
|---|---|---|---|
| 1.0 | March 17, 2026 | Eric Beans | Initial inventory creation. 27 cloud/digital assets registered. Zero physical media. All classifications assigned. |
Questions?
Contact the Security Officer at security@h33.ai or the Compliance team at compliance@h33.ai.
H33.ai, Inc. · 11533 Brighton Knoll Loop, Riverview, FL 33579 · 813-464-0945