Access Control Policy

By adhering to this Access Control Policy, Eververse ensures that sensitive systems and data are accessible only to authorized individuals, reducing the risk of security breaches and ensuring compliance with the principle of least privilege.

1. Purpose

The purpose of this Access Control Policy is to establish guidelines for managing and enforcing access to Eververse's systems, applications, and data. This policy ensures that only authorized individuals have appropriate access to sensitive information, thereby reducing the risk of unauthorized access, data breaches, and misuse of resources.

2. Scope

This policy applies to all employees, contractors, and third-party service providers who access Eververse's systems, applications, databases, and cloud environments. It covers all assets, including servers, databases, cloud resources and external services.

3. Policy Statement

3.1 Role-Based Access Control (RBAC)

Access to all systems at Eververse is managed through Role-Based Access Control (RBAC). Permissions are assigned based on job responsibilities, ensuring that individuals have the minimum access required to perform their duties (principle of least privilege).

3.2 Authorization and Authentication

  • Multi-Factor Authentication (MFA): All users must authenticate using multi-factor authentication (MFA) wherever supported. This applies to all applicable systems and services.
  • Passkeys: Eververse encourages the use of passkeys as a secure and convenient alternative to traditional passwords. Passkeys provide strong authentication without the need to remember complex passwords.
  • Unique User Accounts: Each user is provided with a unique account and login credentials. Shared accounts are prohibited.

3.3 Access Requests and Approval

  • Access Requests: Employees and contractors must request access to specific systems or resources through the official access request process. Requests must be approved by the employee’s manager or a designated approver.
  • Access Reviews: Access levels are reviewed quarterly by the CISO to ensure compliance with the principle of least privilege.

3.4 Change Management for Access Control

  • Changes to Access: Any changes to user access (such as promotions, role changes, or terminations) must be submitted through the change management process. These changes will be reviewed and approved by the CISO.
  • Termination of Access: Upon termination of employment, access to all systems is immediately revoked.

3.5 Monitoring and Audit Trails

  • Audit Logs: All access to sensitive systems, including Vercel, Supabase, and GitHub, is logged. These logs are monitored and reviewed regularly to detect unauthorized access or anomalies.
  • Access Audits: Periodic audits of access controls are conducted to ensure compliance with this policy. Audit findings are reported to senior management.

4. Responsibilities

  • CISO: Responsible for enforcing the Access Control Policy, reviewing access requests, and conducting access audits.
  • Managers: Responsible for approving or denying access requests for their team members.
  • Employees and Contractors: Must follow the access control procedures and report any access-related issues or violations to the CISO.

5. Policy Review and Updates

This Access Control Policy will be reviewed annually, or more frequently as needed, to ensure its effectiveness and compliance with industry best practices and regulatory requirements.

6. Contact Information

For any questions or clarifications regarding this Access Control Policy, please contact us.

Get started for free

Explore problems, ideate solutions, prioritize features and plan your roadmap with the help of AI.