W-03: Tool Standards¶
| Field | Value |
|---|---|
| Document | W-03 |
| Title | Tool Standards |
| Status | Draft |
| Owner | CDO |
| Created | 2026-04-05 |
| Review | Annually |
Purpose¶
Define which tool is used for which purpose across Simpaisa. One tool per function. No shadow IT. No "we use X in our team but everyone else uses Y."
If a tool is not on this page, it is not approved for use. If you need a tool that's not listed, propose it to the CDO.
Tool Map¶
PURPOSE TOOL OWNER
═════════════════════════════════ ═══════════════════════ ══════════
Source code Bitbucket CTO
→ Repos, PRs, code review
→ Branch strategy per Git Workflow Standard
CI/CD Jenkins DevOps Lead
→ Build, test, scan, deploy
→ Snyk (security), SonarQube (quality)
Infrastructure as Code Terraform + Ansible DevOps Lead
→ All infra changes via pipeline, never manual
Cloud Infrastructure AWS DevOps Lead
→ EC2, RDS, ElastiCache, ALB, WAF, S3
API Gateway KrakenD CTO
→ Rate limiting, auth, routing
Edge/CDN/DNS Cloudflare DevOps Lead
→ WAF, DDoS, DNS, Workers
Work Tracking Jira CPO
→ User stories, bugs, sprints, epics
→ All engineering work tracked here
Architecture Tracking Beads (bd CLI) CDO
→ Architecture repo issues only
→ Standards, ADRs, architecture decisions
Documentation (internal) Confluence CDO
→ Operating Model, standards (published view)
→ Meeting notes, project pages
→ Architecture space = canonical published view
Documentation (merchant-facing) GitBook CPO
→ API docs, integration guides, SDK docs
Architecture Source of Truth Git (sp-architecture) CDO
→ Standards, ADRs, schemas, threat models
→ Markdown in Git. Confluence is the published view.
Communication Slack COO
→ Real-time messaging, channels, threads
→ See W-02 for channel naming and etiquette
Email Google Workspace COO
→ External communication, formal internal
Video Calls Google Meet COO
→ All internal video calls
→ Zoom for external calls if counterparty requires
Calendar Google Calendar Each person
→ All meetings. Shared team calendars.
File Storage Google Drive Each dept
→ Documents, spreadsheets, presentations
→ NOT for code, NOT for architecture docs
Device Management / MDM Fleet CISO
→ Endpoint visibility (osquery), security policies
→ Disk encryption, OS updates, compliance posture
→ Vulnerability management on endpoints
→ Device inventory across 6 markets, 180 staff
Password Management TBD CISO
→ All shared credentials, API keys, certificates
Secrets Management (production) AWS Secrets Manager DevOps Lead
→ Production secrets. Never in code.
Monitoring CloudWatch DevOps Lead
→ Infrastructure and application monitoring
→ Target: OpenTelemetry + Grafana (per Technology Radar)
Incident Management TBD CISO
→ Incident tracking, post-incident reviews
→ Per Incident Response Playbook
Knowledge Discovery Maerifa CDO
→ Query institutional knowledge across all sources
→ Chat UI + Agent API
Container Registry AWS ECR DevOps Lead
→ Docker images for all services
Database (production) MySQL (current) CTO
→ Target: SurrealDB (per ADR-DATA-004)
→ Migration in progress via Phoenix
Database (architecture schemas) SurrealDB CDO
→ Target-state schemas in Architecture repo
Message Queue NSQ (target) CTO
→ Replacing Kafka (per ADR-PLATFORM-010)
Workflow Orchestration Temporal (target) CTO
→ Per ADR-PLATFORM-009
Search Meilisearch (target) CTO
→ Merchant-facing search (per ADR-DATA-017)
Rules¶
No Shadow IT¶
If a team is using a tool not on this list, they have two options: 1. Stop using it and migrate to the approved tool. 2. Propose it to the CDO for addition to this list (with justification, cost, and migration plan).
Unapproved tools create data silos, security risks, and support burden.
One Tool Per Function¶
Don't run Trello AND Jira. Don't use Notion AND Confluence. Don't keep docs in Google Docs AND Confluence. Pick one. Use it. The cost of standardisation is lower than the cost of fragmentation.
Data Sovereignty¶
All tools must comply with data sovereignty requirements per the Regulatory Playbooks: - Production data stays in-country (per DA-06) - Corporate data (standards, architecture) may be in UAE or global SaaS - Customer PII must not be stored in unapproved SaaS tools (Slack, Google Docs, etc.) - If in doubt, ask the CISO
Access Provisioning¶
| Event | Who Provisions | Timeline |
|---|---|---|
| New joiner | IT Help Desk (Rohit Rana's team) | Day 1 |
| Role change | Manager requests via IT ticket | 2 business days |
| Leaver | IT Help Desk revokes all access | Same day as departure |
| Contractor | Manager requests, CISO approves | 2 business days |
All access follows the principle of least privilege. No shared accounts. No shared passwords. MFA required on all tools.
Tool Evaluation (for new tools)¶
Before adopting a new tool, evaluate against: 1. Does an existing approved tool already do this? 2. Cost (per user, total, contract terms) 3. Security (SOC 2, data residency, encryption, MFA) 4. Integration (does it connect to our existing stack?) 5. Vendor risk (per STD-GOV-127 Vendor Evaluation Framework) 6. Build vs buy (per STD-GOV-128)
Decision authority: CDO for technology tools, CFO for finance tools, COO for operations tools. All >$10K/year require CEO approval.