Access Control Policy

1. Purpose and Scope

This Access Control Policy defines the security controls and procedures FlowyCash has implemented to limit and manage access to production assets (both physical and virtual) and sensitive data. This policy ensures that only authorized personnel have appropriate access to systems and data necessary for their job functions, following the principle of least privilege.

This policy applies to all FlowyCash team members, contractors, and third-party service providers who require access to production systems or sensitive data.

2. Access Control Framework

2.1 Principle of Least Privilege

• Users are granted only the minimum access necessary to perform their job functions
• Access permissions are regularly reviewed and adjusted based on role changes
• Default access is denied unless explicitly granted
• Temporary access is time-limited and automatically expires

2.2 Role-Based Access Control (RBAC)

• Access permissions are assigned based on predefined roles and responsibilities
• Standard role templates are maintained for common job functions
• Role assignments require manager approval
• Roles are regularly reviewed for appropriate permissions

2.3 Segregation of Duties

• Critical operations require multiple approvals or dual authorization
• Development, testing, and production environments are separated
• No single individual has complete control over critical business processes
• Administrative functions are separated from operational functions

3. Production Systems Access Controls

3.1 Infrastructure Access

• Cloud Platform Access: Limited to authorized DevOps personnel with MFA required
• Database Access: Restricted to senior developers and database administrators only
• Server Administration: Managed through secure cloud providers (Supabase, Vercel - Vercel is SOC 2 certified)
• Network Access: VPN and secure connections required for all remote access
• Application Deployment: Automated through CI/CD pipelines with approval gates

3.2 Application Access

• Production Environment: Access limited to essential personnel only
• Admin Interfaces: Separate admin accounts with enhanced security controls
• API Access: Authentication tokens with expiration and scope limitations
• Monitoring Tools: Role-based access to system monitoring and alerting

3.3 Third-Party Service Management

• Supabase: Limited to authorized users with project-level permissions
• Plaid: API keys restricted to production applications only
• Vercel: Deployment access limited to designated team members
• Service Accounts: Automated access with minimal required permissions

4. Sensitive Data Access Controls

4.1 Data Classification

4.2 Data Access Controls

• Financial Data: Access limited to senior developers and authorized support staff
• Personal Information: Access granted only for legitimate business purposes
• Audit Logs: Read-only access for compliance and security personnel
• System Logs: Developer access for troubleshooting with data masking
• Database Backups: Encrypted storage with restricted access controls

4.3 Data Handling Requirements

• All sensitive data access is logged and monitored
• Data export and download activities require additional approval
• Production data cannot be copied to non-production environments
• Data masking and anonymization used for development and testing

5. Authentication and Authorization

5.1 Multi-Factor Authentication (MFA)

• MFA required for all production system access
• MFA required for all administrative accounts
• MFA required for cloud platform and third-party service access
• MFA required for all user accounts accessing financial data

5.2 Password Policy

• Minimum 12 characters with complexity requirements
• Password managers required for all team members
• Unique passwords for each system and account
• Regular password rotation for shared accounts
• Immediate password changes upon security incidents

5.3 Session Management

• Automatic session timeout after inactivity
• Secure session token generation and management
• Session termination upon logout or system closure
• Concurrent session limits for high-privilege accounts

6. Physical Security Controls

6.1 Remote Work Environment

• Company-provided devices with mandatory security configurations
• Device encryption required for all laptops and mobile devices
• Screen locks with automatic activation after inactivity
• Secure Wi-Fi connections and VPN usage requirements
• Physical device security training for remote workers

6.2 Data Center Security

• Production infrastructure hosted in SOC 2 certified data centers
• Physical access controls managed by cloud service providers
• 24/7 physical security monitoring and surveillance
• Environmental controls and disaster recovery capabilities

7. Access Management Procedures

7.1 Access Provisioning

• New access requests require manager approval
• Access provisioning follows documented procedures
• Temporary access has defined expiration dates
• Emergency access procedures for critical situations

7.2 Access Reviews

• Quarterly reviews of all user access permissions
• Annual comprehensive access recertification
• Immediate review upon role changes or termination
• Automated alerts for dormant or unused accounts

7.3 Access Termination

• Immediate access revocation upon employee termination
• Account deactivation procedures for departing personnel
• Return of company devices and credentials
• Notification to relevant teams about access changes

8. Monitoring and Auditing

8.1 Access Logging

• All system access attempts are logged and retained
• Failed authentication attempts trigger security alerts
• Privileged account activities are monitored in real-time
• Database access and queries are logged for audit purposes

8.2 Security Monitoring

• Automated monitoring for unusual access patterns
• Alerts for after-hours or unauthorized access attempts
• Regular review of access logs and security events
• Integration with security incident response procedures

8.3 Compliance Auditing

• Regular internal audits of access controls
• Documentation of access control exceptions
• Evidence collection for compliance reporting
• Continuous improvement based on audit findings

9. Emergency Access Procedures

• Break-glass access procedures for critical system emergencies
• Emergency access requires senior management approval
• All emergency access activities are logged and reviewed
• Emergency access is automatically revoked after incident resolution
• Post-incident review of emergency access usage

10. Vendor and Third-Party Access

• Third-party access requires signed agreements and approval
• Vendor access is limited to specific systems and time periods
• Third-party activities are supervised and monitored
• Vendor access is regularly reviewed and recertified
• Immediate termination procedures for vendor access

11. Training and Awareness

• Security awareness training for all team members
• Role-specific training for privileged access users
• Regular updates on access control policies and procedures
• Security incident response training
• Ongoing security education and best practice sharing

12. Policy Compliance and Enforcement

• Regular policy reviews and updates
• Compliance monitoring and reporting
• Disciplinary actions for policy violations
• Continuous improvement based on security assessments
• Integration with overall security governance framework

13. Questions and Support

For questions about access control policies or to request access, please contact: