User Data Inventory
|
|
| Version |
1.0 |
| Date |
2026-05-20 |
| Owner |
Dominick Pham (dominick@qwestly.com) |
| Classification |
Internal — SOC2 Evidence |
Executive Summary
This document inventories all resources that contain user data within Qwestly's infrastructure. The inventory includes custom items tracked in Vanta plus standard resource categories populated by integrations. Each item is documented with the type of data it stores, its purpose, and whether it contains user data as defined by SOC2 criteria.
SOC2 TSC Mapping
| Criteria |
Relevance |
| CC6.1 |
Logical and physical access controls — inventory forms the basis for scoping access controls |
| CC6.2 |
System boundaries and data classification — inventory defines where user data lives |
| CC6.3 |
Access control systems and procedures — inventory items are subject to access reviews |
Inventory Items Containing User Data
MongoDB Atlas Cluster
| Field |
Detail |
| Type |
Custom item (NoSQL database — also detected as standard resource) |
| Contains User Data |
Yes |
| Owner |
Dominick Pham |
| Details |
Primary production database. Stores all user data including PII (name, email), user preferences, career interest fields, uploaded documents parsed to text, LinkedIn profile data, and all other user-provided content. |
| Description |
Primary production database for the Qwestly application. All user-facing features read from and write to this cluster. |
Auth0 Tenant
| Field |
Detail |
| Type |
Custom item |
| Contains User Data |
Yes |
| Owner |
Dominick Pham |
| Details |
User name and email address. Auth0 serves as the identity provider and stores basic profile information per user. |
| Description |
Identity provider for the Qwestly application. Handles user authentication via SAML SSO and stores basic profile information (name, email). |
LangSmith
| Field |
Detail |
| Type |
Custom item |
| Contains User Data |
Yes |
| Owner |
Dominick Pham |
| Details |
LLM observability traces that may contain user data fed into prompt inputs. Since prompts can include data sourced from the primary database (user preferences, career fields, uploaded document text, LinkedIn profile data), traces may contain the full range of user data. |
| Description |
LLM observability and debugging platform used to monitor, trace, and evaluate AI/LLM prompt execution. |
Resources Not Containing User Data
The following systems are in scope for Qwestly's operations but do not store user data at rest:
| Resource |
Rationale |
| GitHub repositories |
Source code and deployment config only. Code queries user data at runtime but does not persist it in the repository. |
| Vercel |
Hosting and deployment platform. No persistent data storage — ephemeral runtime only. |
| 1Password |
Credential management. Stores secrets, not user data. |
| Asana |
Task tracking. May contain incidental references but is not a user data store. |
| Slack |
Team communication. May contain incidental references but is not a user data store. |
| Supabase |
Used as database backend. User data handled through the primary MongoDB Atlas cluster; Supabase serves auth and API logging. |
Evidence Location
- Vanta Inventory:
https://app.vanta.com/c/qwestly.com/inventory#other — Custom items section lists all three items above with user data classification
- Vanta Standard Resources: MongoDB Atlas is also detected as a NoSQL database under Standard resources
Testing & Validation
| Check |
Result |
Date |
By |
| Custom items created in Vanta and marked as containing user data |
Confirmed |
2026-05-20 |
Dominick Pham |
| All three items assigned to owner for accountability |
Confirmed |
2026-05-20 |
Dominick Pham |
| Standard resources reviewed; gaps identified and covered by custom items |
Confirmed |
2026-05-20 |
Dominick Pham |
Continuous Improvement
- Inventory items will be reviewed quarterly as part of the broader access review cycle
- New systems deployed that could store user data will be added to the inventory at deployment time
- Changes to what data existing systems store (e.g., LangSmith data retention changes) should trigger an update to this inventory