ID.AM-2: Software platform inventory

Requirement

An inventory that reflects what software platforms and applications are being used in the organisation shall be documented, reviewed, and updated when changes occur.

Guidance

• This inventory includes all used software, both commercial and open source, SaaS solutions and locally installed programs
• This inventory must include all software, whether or not it is connected to the organisation's network
• Shadow IT must be inventoried and brought under management

Our Implementation

A comprehensive software inventory is maintained as a structured evidence page, cataloguing all 31 software platforms across 7 categories:

• Own products: 2 (NextSDS Platform, ReachLex)
• Core business SaaS: 3 (GitHub, Microsoft Teams, Slack)
• AI & LLM providers: 5 (OpenRouter, Google AI, OpenAI, Mistral, Hugging Face)
• Sales & marketing: 10 (Apollo.io, Attio CRM, BetterContact, Exa.ai, Bright Data, Dub, PostHog, Ahrefs, Google Analytics, Meta Pixel)
• Operations: 4 (Trigger.dev, Resend, Polar, IndexNow)
• Development tools: 5 (PyCharm, WebStorm, Claude Code, DBeaver, Cursor)
• Configured but inactive: 2 (OpenPanel, PDFRest)

Each entry includes vendor, type, data processed, users, criticality rating, and active/inactive status. Criticality ranges from Critical (2) to Low (4), with High (9) and Medium (8) in between.

• Review cadence: Quarterly review with CTO ownership
• Classification: CIA-rated (Medium confidentiality, High integrity, Moderate availability)

Gaps / Planned improvements:

• Not all SaaS tools have undergone formal security assessment — particularly sales and marketing tools (NEX-349)
• No formal vendor security questionnaire used during procurement (NEX-373)
• Inactive integrations (SW-025, SW-026) should be removed or formally decommissioned (NEX-389)

Evidence

• Software Inventory

Cross-references