# Access control policy

**Version:** 1.0
**Effective date:** 2026-04-17

## 1. Principles

- Least privilege by default. Grant only the access needed for the role
- Named accounts only - no shared logins for any production system
- Multi-factor authentication required on every production system
- Access is provisioned on hire, reviewed monthly, and revoked on the same business day as role change or termination

## 2. System inventory and access levels

| System | Who can access | How MFA is enforced |
|---|---|---|
| Netlify (prod deploys, envs) | Founder; engineers on `prod-deploy` team | Hardware key (WebAuthn) |
| Airtable (prod base) | Founder; engineers with `creator` role | TOTP |
| GitHub (source repo) | Founder; contributors with repo role | Hardware key required for push |
| Stripe | Founder only | TOTP |
| Mux dashboard | Founder only | TOTP |
| Resend | Founder only | TOTP |
| Anthropic console | Founder only | TOTP |
| Developer workstations | Named user; disk encryption; auto-lock 5 min | OS-level password + Touch ID / Windows Hello |

## 3. Customer-facing access controls (Frameboard app)

- Passwords hashed with `bcryptjs` at cost factor 10 minimum
- JWT sessions expire after 30 days, or immediately on password change
- Google OAuth available for all users; SSO enforceable for Enterprise (see `SSO-MVP-SCOPE.md`)
- Role-based access inside each customer account: `owner`, `admin`, `member`
- Magic-link authentication for buyer/client portal (15-minute expiry, single-use)
- Rate limiting on login, signup, password reset, and OAuth endpoints

## 4. Access lifecycle

**Joining:**
1. Hiring manager files an access ticket listing systems needed
2. Founder provisions access; verifies MFA enrolled before credentials are handed over
3. New starter acknowledges policies 00, 01, 05, 07

**Role change or leave:**
1. Manager raises a change request the same day
2. Access is adjusted within one business day
3. Revocation tickets are logged in the access log (Airtable)

**Termination:**
- Access revoked within one hour of termination (same hour for involuntary termination)
- GitHub, Netlify, Airtable, Stripe, Mux, Resend, Anthropic in that order
- Workstation wiped before return

## 5. Access reviews

Monthly: founder pulls a report of every active user on every production system. Any account without a clear business need is removed.

Reviews are logged as entries in Airtable (`Admin Audit Log` table) with a timestamp.

## 6. Privileged access

Any operation that can affect all customers' data (Airtable schema changes, bulk updates, production env var edits) is treated as privileged. Privileged changes are:
- Proposed in writing (GitHub issue or internal doc)
- Reviewed by at least one other person if one is available
- Logged in the change management record after execution

At single-founder stage, the review requirement is held in abeyance; compensating control is that changes are logged and announced in the customer changelog when user-visible.