ISMS Compliance
CyFun BasicIdentify

ID.AM-3: Communication and data flows

Organisational communication and data flows are mapped

IDENTIFYID.AM-3

Requirement

Information that the organisation stores and uses shall be identified.

Our Implementation

Organisational communication and data flows are mapped across the platform architecture:

  • Customer-facing flow: Users access the NextSDS platform via Vercel (frontend hosting) → Supabase (database and authentication, EU region) → Modal and Trigger.dev (backend processing and background jobs)
  • Data storage: Customer SDS (Safety Data Sheet) data is stored in Supabase PostgreSQL (AWS eu-central-1, EU). Vector embeddings for AI/RAG features are stored in Qdrant. Cached data uses Upstash Redis
  • AI processing: Document analysis flows through Azure OpenAI Service and other LLM providers (OpenRouter, Mistral, Google AI) for inference and extraction
  • Internal communication: Team communication via Slack

All inter-service communication uses TLS-encrypted connections. No unencrypted data flows exist between services.

Gaps / Planned improvements:

  • No formal data flow diagram documented — architecture is described but not visually mapped (NEX-360)

Evidence

ImplementedL2 — Repeatable

ID.AM-2: Software platform inventory

Software platforms and applications used within the organisation are inventoried

ID.AM-4: External information systems

External information systems are catalogued

On this page

RequirementOur ImplementationEvidence