External SaaS & third-party services
The 32 apps documented under apps/ are services we host ourselves. This file inventories the third-party SaaS the business depends on — accounts that, if lost or compromised, would damage operations even though no server of ours went down.
Why this matters to leadership: every external SaaS subscription is a contract, a renewal cost, an account-takeover risk, and a credential-loss risk. Treating SaaS as "someone else's problem" is how organizations end up locked out of their own DNS, email, or payment processor on a Friday evening.
Inventory (please complete)
For each, capture: provider, what it's used for, account owner, billing owner, MFA status, and Vault entry for shared credentials.
Identity / domain / DNS / cloud platform
| Provider |
Used for |
Owner |
Billing |
MFA |
Vault |
| GoDaddy |
All four domain registrations + Microsoft 365 mail across (at least) three M365 tenants |
Stacy Carpenter + Adam Pitt-Stanley (company leadership) |
leadership card |
[INFO NEEDED] |
n/a — credential held by leadership, not in vault.448.global |
| Microsoft Azure (Entra) |
App registrations (no Azure compute / storage / databases used). Three distinct use cases: (1) Teams Bot via Bot Framework — registered in Azure so Microsoft Teams can deliver chat messages to bot.projecteidos.com; (2) TnE Connect SSO (per tenant) — OIDC App Registration in each tenant's M365 (Fourway's tenant for the Fourway tenant; Project Eidos tenant for the Eidos staff tenant) that seeds the APEX authentication scheme; (3) TnE Connect calendar / leave-management integration — App Registration with Microsoft Graph delegated permissions so the leave-application feature can read / write employee Outlook calendar events. At least three M365 tenants exist (per KI-030), so registrations live in different tenants. |
per-tenant administrator |
inherits M365 tenant subscription |
inherits M365 MFA |
[INFO NEEDED] per registration |
Email & productivity
| Provider |
Used for |
Owner |
Billing |
MFA |
Vault |
| Google Workspace / Microsoft 365 |
Company email, docs, calendar |
[INFO NEEDED] |
[INFO NEEDED] |
[INFO NEEDED] |
[INFO NEEDED] |
| Slack / Teams |
Internal messaging |
[INFO NEEDED] |
[INFO NEEDED] |
[INFO NEEDED] |
[INFO NEEDED] |
Cloud / hosting
| Provider |
Used for |
Owner |
Billing |
MFA |
Vault |
[INFO NEEDED] (Hetzner / DigitalOcean / AWS / GCP / Azure / OVH / other) |
VPS/VM hosting for 448.global and projecteidos.com services |
[INFO NEEDED] |
[INFO NEEDED] |
[INFO NEEDED] |
[INFO NEEDED] |
Payments / finance
| Provider |
Used for |
Owner |
Billing |
MFA |
Vault |
| Stripe / Razorpay / other |
Customer payments |
[INFO NEEDED] |
[INFO NEEDED] |
[INFO NEEDED] |
[INFO NEEDED] |
| Accounting (Xero / QuickBooks / Zoho Books) |
Books |
[INFO NEEDED] |
[INFO NEEDED] |
[INFO NEEDED] |
[INFO NEEDED] |
Customer / marketing
| Provider |
Used for |
Owner |
Billing |
MFA |
Vault |
| RocketSaas |
Marketing partner for the TnE Connect SaaS — recently relaunched tneconnect.app under their guidance |
[INFO NEEDED] |
[INFO NEEDED] |
n/a (third-party agency, not an account we hold) |
n/a |
| Brevo |
A Brevo verification record exists in projecteidos.com SPF, but no one currently on the team knows what it was set up for (KI-040) |
unknown |
unknown |
unknown |
unknown |
| Email marketing (Mailchimp / Sendgrid / etc.) |
Newsletters, transactional email |
[INFO NEEDED] |
[INFO NEEDED] |
[INFO NEEDED] |
[INFO NEEDED] |
| Analytics (GA4 / Plausible / Matomo) |
Website analytics |
[INFO NEEDED] |
[INFO NEEDED] |
[INFO NEEDED] |
[INFO NEEDED] |
| CDN (Cloudflare / Bunny / Fastly) |
DDoS / performance |
[INFO NEEDED] |
[INFO NEEDED] |
[INFO NEEDED] |
[INFO NEEDED] |
AI / model providers
Three active AI subscriptions, all currently used inside Coder workspaces and (for OpenAI) likely as the backing model for Open WebUI at ai.448.global. Combined cost today is well below £100/month — these scale with usage.
| Provider |
Used for |
Subscription model |
Current monthly |
Notes |
| OpenAI API |
Backing model for Open WebUI; called from Coder workspaces and possibly Parallax / Teams Bot features |
prepaid credits |
~£20–30/month of top-ups |
small usage today; scales with team size |
| BFL Labs API (Black Forest Labs / Flux models) |
Image generation use cases inside Coder workspaces |
subscription / pay-as-you-go |
~£0/month |
$10 added; never used. Effectively dormant. |
| Claude.ai (Anthropic) |
Used on multiple Coder workspaces — currently shared on 1 seat |
non-corporate / personal-tier subscription |
~£75/month |
shared 1-seat account; should be moved to a Team / Enterprise plan when the team scales (avoids account-sharing) |
Operational notes:
- All three are accessed from inside Coder workspaces — meaning the API keys live (or should live) in the workspace environment. Best practice is to read them from Vault at workspace startup, not bake them into images.
- OpenAI is prepaid — credit balance can run out unexpectedly. Worth a low-balance alert or auto-recharge.
- BFL Labs / Anthropic billing is subscription-based; predictable monthly cost but renewals matter (track in the renewal calendar).
- Per-developer cost-attribution is [INFO NEEDED] — without it, a runaway prompt loop on one developer's workspace silently spends from a shared budget.
- Each API key is a credential worth treating like a Tier-1 secret (covered by KI-031 MFA principle for the upstream provider account, plus Vault storage for the API key itself).
| Provider |
Used for |
Owner |
Billing |
MFA |
Vault |
| Bitbucket (Atlassian) |
TnE Connect product source repo at bitbucket.org/448_global/workforce.git (KI-034) |
Atlassian account is registered to the 448.global sister company under email Connect@448.global; Adam Pitt-Stanley is admin |
currently Free tier (capped at 5 users) |
[INFO NEEDED] |
448G_KV/448_Jira — single Atlassian credential shared with JIRA |
| JIRA + Confluence (Atlassian) |
Ticket tracking + Confluence wiki + the auto-branch / access-request integration with n8n |
Same Atlassian account as Bitbucket — Adam at Connect@448.global |
currently Free tier (capped at 10 users) |
[INFO NEEDED] |
448G_KV/448_Jira |
| GitHub (if any mirroring) |
[INFO NEEDED] |
[INFO NEEDED] |
[INFO NEEDED] |
[INFO NEEDED] |
[INFO NEEDED] |
| Container registry (Docker Hub / GitLab Registry / GHCR) |
Container images |
[INFO NEEDED] |
[INFO NEEDED] |
[INFO NEEDED] |
[INFO NEEDED] |
| Sentry / Bugsnag / etc. |
Error tracking |
[INFO NEEDED] |
[INFO NEEDED] |
[INFO NEEDED] |
[INFO NEEDED] |
Other
| Provider |
Used for |
Owner |
Billing |
MFA |
Vault |
[INFO NEEDED] |
|
|
|
|
|
Risks
- Account ownership tied to one person. If the only login for an account is
someone@personal-email.com, the company has a hidden bus-factor problem.
- No MFA. Any SaaS without MFA is one phished password away from takeover.
- Credentials not in Vault. If shared logins live in someone's password manager or a sticky note, they leave with that person.
- Billing card on a personal account. Renewals fail when the card expires; service goes dark.
- Renewal surprise. SaaS auto-renewals at unexpected scale (per-seat, usage-based) blow holes in budgets.
- Atlassian (Bitbucket + JIRA + Confluence) account is registered to the 448.global sister company, which is being wound down. When 448.global is closed, the Atlassian account ownership chain needs to be transferred or re-registered under Project Eidos, otherwise the account will eventually be reclaimed or lost. This is a planned-action item rather than an active fire.
Phase-2 actions
- Move every shared SaaS credential into Vault under a consistent path scheme.
- Confirm MFA on every account.
- Switch all account ownership to a company-owned email (e.g.
ops@<domain>), not personal.
- Centralize billing where possible (one card or invoicing entity per cluster of services).
- Set renewal-date reminders independent of provider notifications.