Risk Register

Public view: risks marked visibility: public only; controlsApplied.public view.

Owner: Founder (single-owner until org grows). Last regenerated from risk-register.risks.json.

ID Risk Asset(s) affected Likelihood Impact Inherent rating Treatment Controls applied Residual rating Owner Last reviewed
R-01 Customer data exposure via application vulnerability (RLS bypass, missing ownership check, OAuth scope misuse) customer HubSpot OAuth tokens (encrypted), customer-confidential application data, audit_log JSONB M H H Mitigate A.5.15, A.5.18, A.8.2, A.8.3, A.8.5, A.8.20, A.8.21, A.8.27 M Founder 2026-05-01
R-02 Sub-processor breach (Hetzner, self-hosted Supabase containers, Mistral inference, Mollie billing) Hetzner data centre infrastructure, self-hosted Supabase persistence and auth, Mistral inference path, Mollie billing flow L H M Transfer A.5.19, A.5.20, A.5.21, A.5.22, A.5.23, A.5.34, A.7.1, A.7.2 L Founder 2026-05-01
R-03 Founder credential or endpoint compromise (laptop loss, SSH key leak, GitHub or Coolify session theft) founder workstation (macOS), SSH private key for Hetzner host, Supabase Auth admin account, GitHub repository write access, Coolify orchestration UI session M H H Mitigate A.5.17, A.5.18, A.8.1, A.8.4, A.8.5, A.8.7, A.8.18 M Founder 2026-05-01
R-04 Governance, policy, or audit lapse (single-founder concentration, change-management failure, ISMS drift) ISMS scope, policy compliance posture, release pipeline, audit cadence M M M Mitigate A.5.1, A.5.4, A.5.31, A.5.35, A.5.36, A.5.37, A.6.7, A.6.8, A.8.4, A.8.32 L Founder 2026-05-01
R-05 Cryptographic or key-management failure (TLS regression, encryption-key loss or rotation incident, weak key entropy) AES-256-GCM token encryption (TOKEN_ENCRYPTION_KEY), TLS 1.2+ at edge, OAuth flow integrity L H M Mitigate A.5.17, A.8.20, A.8.24, A.8.32, A.8.5 L Founder 2026-05-01
R-06 Coding-agent or prompt-injection compromise (agent weaponised via WebFetch / MCP outputs to exfiltrate credentials) coding-agent surface (Claude Code + MCP tools), founder workstation, production secrets at rest in Hetzner / Supabase env M M M Mitigate A.5.18, A.8.1, A.8.7, A.8.12, A.8.18 L Founder 2026-05-01
R-07 Application logic flaw (auth bypass, missing portal-ownership check, edge-function bug, server-trust violation) edge functions (~30 in production), RLS-protected tables, rate-limiting layer, tier-check layer M H H Mitigate A.5.8, A.8.2, A.8.3, A.8.8, A.8.15, A.8.21, A.8.26, A.8.27, A.8.28, A.8.29 M Founder 2026-05-01
R-08 Operational or human error during release / maintenance (single-founder BCP, missed step in incident response) release pipeline, incident-response procedure, deployment workflow M M M Accept A.5.2, A.5.30, A.6.6, A.8.6, A.8.9, A.8.17, A.8.31 L Founder 2026-05-01
R-09 Backup or recovery failure (corrupt pg_dump, restore procedure regression, retention gap) PostgreSQL daily pg_dump archive on Hetzner host, Hetzner infrastructure-level VM snapshots, documented restore procedure (RTO ≈ 1h) L H M Mitigate A.5.30, A.8.13, A.8.14 L Founder 2026-05-01
R-10 PII exposure in logs or LLM prompts (data leakage at observability or inference boundaries) edge-function structured logs, Mistral inference inputs, audit_log JSONB rows, Coolify-managed Nginx access logs M M M Mitigate A.5.34, A.8.10, A.8.11, A.8.12, A.8.15 L Founder 2026-05-01
R-11 Mollie webhook tampering or billing-flow abuse (forged subscription event, replayed checkout-status callback) Mollie webhook endpoint, subscription state in Supabase, credit / discount logic L M M Mitigate A.5.14, A.5.24, A.5.27, A.8.20, A.8.26 L Founder 2026-05-01
R-12 Supply-chain compromise (malicious npm dependency, compromised Docker base image, transitive package takeover) package-lock.json (~700 npm packages), Deno edge-function imports, Supabase official container images, GitHub Actions workflow runners L H M Mitigate A.5.21, A.8.19, A.8.30, A.8.7, A.8.8 L Founder 2026-05-01