Access Controls Policy

← Back to Privacy Policy

1. Purpose

This policy defines standards to limit and manage access to production systems and sensitive financial data.

2. Scope

All systems, servers, databases, APIs, and third-party services that store, transmit, or process financial data.

3. Documented Access Control Policy

Access rights assigned based on business need and reviewed periodically.

4. Role-Based Access Control (RBAC)

• Access governed by role.
• Roles carry minimum permissions required for their function.
• Elevated access requires explicit authorization.

5. Multi-Factor Authentication

MFA enforced on all accounts with access to production systems, cloud services, and financial data.

6. Password Standards

• Minimum 16 characters.
• Unique per account.
• Managed via password manager.
• Never stored in plaintext or shared via unsecured channels.

7. Least Privilege

• All users and systems granted minimum required access.
• Permissions reviewed and trimmed as roles change.
• Admin credentials used only when required.

8. Third-Party Access

API keys scoped to minimum permissions, rotated periodically, revoked upon service termination. Reviewed annually.

9. Access Revocation

Access revoked promptly upon termination of any service relationship or personnel change.

10. Policy Review

Reviewed annually.

Effective Date: April 1, 2026

← Back to Privacy Policy