TnE Connect — Eidos Global tenant¶
TnE Connect workforce platform deployed for our own staff (Eidos Global) at
eidos-global.tneconnect.app. ~30 internal users. Same product as the Fourway tenant (02) but on a separate Free Tier ADB. Acts as our internal-use deployment and as a dogfood / reference for prospective customers.
| Field | Value |
|---|---|
| Customer-facing URL | https://eidos-global.tneconnect.app |
| APEX builder vanity URL | https://apex1.projecteidos.com |
| APEX builder direct URL | [INFO NEEDED] (likely https://G8EE0CCE1DAD263-EIDOSDEV.adb.uk-london-1.oraclecloudapps.com/ords/apex — confirm) |
| Audience | Eidos Global staff — ~30 users |
| Criticality | medium-high — internal HR / workforce data, not contracted but real PII |
| Maturity | hobby/trial — mature product, hobby-grade infra |
| Owner | [INFO NEEDED] (TnE product team) |
| Last reviewed | 2026-05-07 |
1. At a glance¶
The Eidos Global organisation runs the TnE Connect product on its own internally — managing our staff's workforce data the same way Fourway uses theirs. About 30 internal users. Same product, separate Free Tier ADB (EIDOSDev, db name Devdb) for tenant isolation, served at eidos-global.tneconnect.app. Doubles as the dogfood deployment that proves the product to prospects.
Naming note: the ADB is named
EIDOSDevwith a database name ofDevdb— both names suggest "development", but this is in fact our production internal-staff system. Worth a rename or at least an internal note so an admin doesn't mistake it for a sandbox.
2. Business purpose¶
- Internal HR / workforce operations for Eidos Global staff.
- Reference / dogfood deployment that proves the TnE Connect product to prospects.
- Cost-zero (Free Tier) — fits the "internal-use, no SLA owed" risk profile.
3. Audience¶
- Eidos Global employees + managers — ~30 users.
- Authentication via Microsoft SSO (our own M365 tenant, separate from Fourway's).
4. Hosting & cloud infrastructure¶
- Cloud: Oracle Cloud Infrastructure (OCI)
- Tenancy:
EIDOSDev1 - Compartment:
[INFO NEEDED](separate fromFOURWAYandUR) - Server: E3 — TnE Connect (Eidos) Free ADB
- Reverse proxy (vanity URL): Caddy on E1
- Customer-facing routing:
eidos-global.tneconnect.appis fronted by E2 Traefik (apex DNS direct to E2)
Infrastructure map¶
| Item | Value | Notes |
|---|---|---|
| Customer-facing URL | eidos-global.tneconnect.app | DNS direct to E2 |
| APEX builder vanity URL | apex1.projecteidos.com | E1 Caddy → ADB |
| APEX builder direct URL | [INFO NEEDED] |
likely the standard G8EE0CCE1DAD263-… pattern |
| ADB instance name | EIDOSDev (db name Devdb) |
naming is misleading — see note above |
| ADB OCID | ocid1.autonomousdatabase.oc1.uk-london-1.anwgiljrbm2l2oianzh2yna7ppfiztei5vl3hjkrvnvw7f6xp34raja6mmiq |
|
| ADB tier | Always Free | |
| ADB workload | APEX | |
| Oracle DB version | 19c — Oracle has requested migration to 26ai (KI-036) | |
| Auto-pause after 7 days idle | yes (Free Tier) | 30 active users — generally safe but no keep-alive heartbeat |
| Backup retention | 60 days Oracle automated | NOT restorable on Free Tier |
| Cross-region DR | none (single-region uk-london-1) | |
| Region | uk-london-1 |
Credentials in Vault¶
Gap: Eidos tenant credentials are managed by Bradley personally, not in Vault yet. Documented as part of KI-007 (Bradley's personal Bitwarden). Should be migrated to Vault under a
kv_pe/EIDOSDEV-ATP-*path scheme matching the Fourway tenant convention.
| Secret type | Status |
|---|---|
| Non-OCI creds (Azure SSO, email) | [INFO NEEDED] — likely in Bradley's personal store; should move to a eidos_kv/ Vault mount for symmetry with fourway_kv/ |
| ADB-level credentials (EIDOSDev ATP) | [INFO NEEDED] — likely in Bradley's personal store; should move to kv_pe/EIDOSDEV-ATP |
| Per-schema credentials | [INFO NEEDED] |
5. Technology behind it¶
Same TnE Connect product as the Fourway tenant — see Section 5 of the Fourway doc for:
- Source repo on Bitbucket (bitbucket.org/448_global/workforce.git)
- Microsoft SSO seeded auth scheme
- The auto-branch + AI-review + manual-deploy CI/CD workflow
The only difference is the SSO upstream — this tenant federates to our own M365 tenant, while Fourway federates to theirs.
6. Data it handles¶
Same data classes as the Fourway tenant — heavy PII for our own staff:
- Employee names, contact details, IDs (~30 staff records)
- Hours worked, schedules, timesheets
- Manager hierarchy / access permissions
- Whatever financial or payroll-adjacent data the product captures
[CONFIRM]
GDPR scope: as the data controller for our own staff records, we owe ourselves the same data-subject rights process we'd owe an external customer. Data Protection Impact Assessment (DPIA) on this app is
[INFO NEEDED].
7. External dependencies¶
Same as the Fourway tenant: OCI EIDOSDev1, E1 Caddy, E2 Dokploy, Bitbucket source, Vault on O1, Oracle Email Delivery.
This tenant has two Azure App Registrations in our own Project Eidos M365 tenant (MS=ms38993142) — the same tenant that Authentik upstream-federates with for the rest of the internal estate:
- OIDC SSO — for end-user sign-in into the TnE Connect APEX app.
- Microsoft Graph (delegated permissions) — used by the leave-application feature inside TnE Connect to read and write employee calendars in Outlook / Microsoft 365. When a staff member submits a leave request, the app creates / updates the corresponding Outlook calendar event automatically.
8. Authentication & access¶
- End-user login: Microsoft SSO via our own Azure AD tenant (i.e., the same M365 tenant Authentik already federates with for
auth.448.global). - APEX workspace admin: Vishnu, Bradley
[CONFIRM] - ADB ADMIN: Vishnu, Bradley
- MFA on admin layer: not enforced (KI-031)
- Bug / access requests: same JIRA-via-n8n flow as Fourway tenant
9. Maturity assessment¶
| Dimension | Status | Evidence |
|---|---|---|
| Backups | Hobby | Same as Fourway — Oracle 60-day, not restorable on Free Tier |
| Restore tested | Hobby | Not possible on Free Tier |
| Monitoring | Hobby | None beyond OCI built-in |
| Alerting | Hobby | None |
| Redundancy | Hobby | Free Tier; single region |
| Patching cadence | At risk | On Oracle 19c; migration to 26ai requested by Oracle (KI-036) |
| Deploy process | Trial | Same CI/CD chain as Fourway |
| Source-control | Trial | Same Bitbucket setup (KI-034) |
| Auth | Trial | M365 SSO; no admin MFA |
| Secrets handling | Hobby | Bradley's personal store, not Vault (KI-007) — gap specifically called out by Vishnu in this review |
Overall maturity: hobby/trial — internal-use forgives some of this, but the data sensitivity (heavy staff PII) doesn't.
10. Known risks & vulnerabilities¶
- Free Tier ADB holding our own staff PII — same exposure as Fourway minus the contractual angle. A corruption event = unrecoverable internal HR data.
- Oracle 19c → 26ai migration pending without restorable backup (KI-036) — major-version DB migration is risky, and we have no rollback path on the Free Tier.
- Eidos tenant credentials in Bradley's personal store, not Vault (KI-007) — bus factor + off-boarding risk.
- Naming confusion —
EIDOSDev / Devdbreads as a sandbox but is actually a production system. An admin could mistakenly destructively touch it. - All other risks shared with the Fourway tenant: source on Bitbucket, no MFA on admin layer, no monitoring, etc.
Active hardening plan for this tenant (see roadmap): - RM-042 — roll out WireGuard VPN clients to all Eidos staff (currently no one has the WG client installed) and connect the UK + India offices over a leased-line site-to-site arrangement, so this tenant can be tightened from "publicly reachable" to "VPN or trusted-source IP only" during the SaaS hardening period. Sergiu Pop is the primary contact for the laptop-and-office side of this rollout. - RM-043 — formal VAPT engagement on the TnE Connect product (both tenants in scope) before the SaaS go-to-market matures further.
11. Impact if it goes down¶
- ~30 Eidos Global staff blocked from timesheet / scheduling functions.
- No customer-facing impact, no contractual penalty.
- Data-loss scenario is the worst case — internal HR records would be unrecoverable on the current Free Tier.
12. Owner & on-call¶
- Primary owner:
[INFO NEEDED](TnE Connect product team) - DBA: Bradley Leggett
- Cloud admin: Vishnu Kant
- On-call:
[INFO NEEDED]
13. References & links¶
- Customer-facing URL: https://eidos-global.tneconnect.app
- APEX builder vanity URL: https://apex1.projecteidos.com
- APEX builder direct URL:
[INFO NEEDED] - Source repo: same as Fourway — https://bitbucket.org/448_global/workforce.git
- OCI tenancy: EIDOSDev1, compartment
[INFO NEEDED] - ADB instance:
EIDOSDev/Devdb(OCIDocid1.autonomousdatabase.oc1.uk-london-1.anwgiljrbm2l2oianzh2yna7ppfiztei5vl3hjkrvnvw7f6xp34raja6mmiq) - Sister tenant: TnE Connect — Fourway tenant
- Marketing site: TnE Connect WordPress
- Customer-relationship CRM: CRM TnE Connect
- Domain: see domains.md