Asset Register

Inventory of information assets and their owners

Purpose

This asset register identifies and tracks all information assets within the ISMS scope, documenting ownership, classification, and protection requirements.

Last Updated: 2026-04-13 Owner: ISMS Owner Review Frequency: Quarterly

Cryptographic Assets (Restricted)

Asset IDAsset NameDescriptionOwnerLocationClassification
CRYPTO-001Production Signing KeysRedJubjub keys for credential issuanceISMS OwnerCloudflare KV (IS_KEYS)Restricted
CRYPTO-002Production Verification KeysPublic keys for proof verificationCryptography SpecialistJWKS (CDN)Public
CRYPTO-003Shared Sandbox Issuer IdentityMulti-tenant shared issuer identity used by the docs sandbox gateway and sandbox wallet fleet (test keys for dev/sandbox). Quarterly rotation cadence. Compromise response: KV-sweep all docs-sbx-* keys in SANDBOX_DOCS_ISSUERS and all mwallet-sbx-* keys in SANDBOX_MOBILE_ISSUERS. 90-day audit retention for associated access events.Cryptography SpecialistCloudflare KV (sandbox env)Internal
CRYPTO-004Proving ParametersGroth16 circuit parametersCryptography SpecialistGit repository, CDNPublic
CRYPTO-005HMAC SecretsAPI authentication secretsCryptography SpecialistCloudflare KVRestricted
CRYPTO-006DOCS_SESSION_HMAC_KEYHMAC-SHA-256 key that signs the __Host-docs_session cookie issued by the docs sandbox gateway. Uses a kid prefix for rolling rotation on a 90-day cadence; both old and new keys retained for the full 4-hour session hard-cap window. Single-shot kid-keyed lookup, never try-both-keys. 90-day audit retention for key-use events.Cryptography SpecialistCloudflare Secrets Store (internal identifier redacted)Restricted
CRYPTO-007DOCS_ATTESTATION_ED25519_SEEDEd25519 seed used by the docs sandbox gateway to sign sandbox attestations (DobAttestation with session_id + client_id binding). Distinct from all production attestation seeds. Quarterly rotation, coordinated with shared sandbox issuer identity rotation. Seed held only within the AttestationSigner closure at src/docs/attestation-signer.ts; never materialised as a JS string. 90-day audit retention for sign events.Cryptography SpecialistCloudflare Secrets Store (internal identifier redacted)Restricted

Infrastructure Assets

Cloud Services (Confidential)

Asset IDAsset NameOwnerAccess Control
INFRA-001Cloudflare AccountISMS Owner2 admins, MFA required
INFRA-002GitHub OrganisationISMS OwnerTeam members, admin limited
INFRA-003Verifier API WorkerSecurity LeadDeployed via CI/CD
INFRA-004Issuer API WorkerSecurity LeadDeployed via CI/CD
INFRA-005Static site serving (Cloudflare Workers Assets)Security LeadDeployed via Git
INFRA-006docs.provii.app/api/* route prefix on the provii-demos/demo-web-provii-agegate Worker. Docs sandbox gateway surface backing the interactive developer onboarding flow. Narrowed DocsEnv binding set with no DEMO_TOKEN_SECRET and no playground KVs. 90-day audit retention.Security LeadCloudflare Workers (provii-demos/demo-web-provii-agegate), sandbox env
INFRA-007preview.docs-sandbox.provii.app origin. Styler iframe origin that renders interactive documentation widgets. Covered by a dedicated ALLOWED_DOCS_ORIGINS CORS list distinct from the playground allowlist. 90-day audit retention.Security LeadCloudflare DNS + Workers (sandbox env)

KV Namespaces (Internal/Confidential)

Asset IDNamespacePurposeRetention
KV-001VERIFIER_CONFIGVerifier configurationIndefinite
KV-002IS_KEYSSigning keysUntil rotation + 1yr
KV-003IS_AUDIT_LOGAudit events90 days
KV-004IS_CONFIGIssuer configurationIndefinite
KV-005BANSBanned IPs/clientsVariable
KV-006SANDBOX_DOCS_ISSUERSBrowser gateway credential allowlist. Holds docs-sbx-* issuer client IDs minted via the docs sandbox gateway POST /api/credentials/issuer endpoint. Sandbox-only; prod-side middleware rejects docs-sbx-* prefixes across body, path, query, and auth headers. Compromise response: wrangler kv:key list --remote --prefix docs-sbx- sweep delete. 90-day audit retention for KV operations.Sandbox-only. Entries auto-expire via 1-hour TTL on credential cache; issuer allowlist entries rotate with quarterly shared-sandbox issuer rotation.
KV-007SANDBOX_MOBILE_ISSUERSMobile wallet credential allowlist (per Decision 13). Holds mwallet-sbx-* sandbox client IDs minted for wallet developers. Deliberately disjoint from SANDBOX_DOCS_ISSUERS so a browser-side compromise does not force a mobile-wide credential wipe and vice versa. Compromise response: wrangler kv:key list --remote --prefix mwallet-sbx- sweep delete. 90-day audit retention for KV operations.Sandbox-only. 7-day TTL on mobile install entries; issuer allowlist rotates quarterly.

Registered Intellectual Property (Confidential)

Asset IDTypeDescriptionJurisdictionStatusOwner
IP-001Provisional PatentSystem and Method for Privacy-Preserving Age Verification Using Zero Knowledge Proofs (AU 2026901546)AustraliaFiled 2026-02-26. PCT deadline 2027-02-26.ISMS Owner
IP-002Trade MarkPROVII WALLET (Classes 9, 42)AustraliaFiled 2026-02-22. Application number TBC.ISMS Owner
IP-003Domainprovii.appGlobalActiveISMS Owner
IP-004Domainproviiwallet.auAustraliaActiveISMS Owner
IP-005Domainproviiwallet.com.auAustraliaActiveISMS Owner
IP-006Domainproviiwallet.comGlobalActiveISMS Owner

Code & Intellectual Property (Public)

Asset IDRepositoryDescriptionOwnerClassification
CODE-001provii-cryptoZKP implementationDeveloperPublic (open source)
CODE-002provii-verifierProof verification WorkerDeveloperPublic (open source)
CODE-003provii-issuerCredential issuance WorkerDeveloperPublic (open source)
CODE-004provii-agegateBrowser SDKDeveloperPublic (open source)
CODE-005provii-mobile-sdkMobile SDKDeveloperPublic (open source)
CODE-006provii-mobileProvii mobile wallet (client) repository under the MaelstromAI GitHub enterpriseDeveloperPublic (open source)
CODE-007provii-verifier (hosted mode routes)Hosted verification for simple website integrations (merged into provii-verifier)DeveloperPublic (open source)
CODE-008admin-portalInternal administration web portalDeveloperPublic (open source)
CODE-009shared-portal-libShared UI components for portal applicationsDeveloperPublic (open source)
CODE-010provii-managementInternal platform management WorkerDeveloperPublic (open source)
CODE-011provii-credit-managementVerification credit tracking and billing WorkerDeveloperPublic (open source)
CODE-012provii-statusStatus monitoring WorkerDeveloperPublic (open source)
CODE-013provii-websitePublic marketing websiteDeveloperPublic (open source)
CODE-014provii-docsPublic developer documentationDeveloperPublic (open source)
CODE-015provii-demosIntegration demo applications (19 ecosystems)DeveloperPublic (open source)
CODE-016shared-rate-limitShared rate limiting library (archived; replaced by per-service KV counters)DeveloperPublic (open source)
CODE-017agegate-rustNative SDK for server-side integrationsDeveloperPublic (open source)

Operational Data (Internal)

Asset IDData TypeLocationRetentionOwner
DATA-001Audit logs (including IP addresses)Cloudflare Workers Logs (shipped to Grafana Loki), Cloudflare KV90 days; critical security event logs are retained for up to 365 daysSecurity Lead
DATA-002Operational telemetryCloudflare Workers Logs (shipped to Grafana Loki)90 daysSecurity Lead
DATA-004CI/CD logsGitHub Actions90 daysSecurity Lead

Documentation Assets (Public)

Asset IDDocumentOwnerLocation
DOC-001ISMS DocumentationISMS Ownermaelstrom.au/trust
DOC-002Technical DocumentationDeveloperdocs.provii.app
DOC-003API DocumentationDeveloperdocs.provii.app

Access Credentials (Restricted)

Asset IDCredential TypeStorageOwner
CRED-001GitHub PATsPassword managerIndividual users
CRED-002Cloudflare API TokensGitHub Secrets (CI/CD)Security Lead
CRED-003Password Manager VaultCloud-synced, encryptedIndividual users

Physical Assets (Varies)

Asset IDDevice TypeOwner/UserFull Disk Encryption
PHY-001Developer Laptop 1Team Member 1✅ Required
PHY-002Developer Laptop 2Team Member 2✅ Required

Note: Individual workstations tracked minimally (BYOD model). Security requirements in Acceptable Use Policy.

Asset Lifecycle

New Assets

When adding an asset:

  1. Assign unique Asset ID
  2. Classify per Asset Management Procedure
  3. Assign owner
  4. Document in this register
  5. Implement appropriate controls

Changes

When asset changes:

  • Update register within 5 business days
  • Note change in changelog below
  • Review classification if needed

Disposal

When retiring an asset:

  • Follow Data Retention Policy
  • Document disposal date and method
  • Mark as “Disposed” in register
  • Archive entry (don’t delete from history)

Asset Review Schedule

Quarterly (Jan, Apr, Jul, Oct):

  • Security Lead reviews register
  • Verify assets still exist and are correctly classified
  • Check ownership assignments
  • Update as needed
  • Document review completion

Next Review: 2026-11-21

Changelog

DateChangeChanged By
2025-01-13Initial asset register createdISMS Owner
2026-02-16Updated repos, ownership, and compliance validation fixesISMS Owner
2026-02-27Added registered IP assets (patent, trade mark, domains)ISMS Owner
2026-04-13Added docs sandbox gateway entries: INFRA-006 (/api/* route prefix), INFRA-007 (preview.docs-sandbox.provii.app), KV-006 (SANDBOX_DOCS_ISSUERS), KV-007 (SANDBOX_MOBILE_ISSUERS), CRYPTO-006 (DOCS_SESSION_HMAC_KEY), CRYPTO-007 (DOCS_ATTESTATION_ED25519_SEED). Re-classified CRYPTO-003 as shared sandbox issuer identity with quarterly rotation and KV-sweep compromise response.ISMS Owner
  1. Asset Management Procedure
  2. Data Retention Policy
  3. Information Security Policy

Document Information

  • Version. 1.4
  • Last Updated. 2026-05-21
  • Owner. ISMS Owner
  • Review Frequency. Quarterly
  • Next Review. 2026-11-21
  • Classification. Public