Access Control Policy

1. Purpose

Define requirements for granting, reviewing and revoking access to Clerk.io information assets.

2. Principles

1. Least Privilege – users receive the minimum access necessary.
2. Need-to-Know – data access aligns with job role.
3. Segregation of Duties – no single person can deploy unreviewed code to prod.
4. Timely Revocation – accounts disabled within 24 h of termination.

3. Account Types

4. Authentication Requirements

• Applications that support SAML/OIDC use Google Workspace SSO (MFA preferred).
• GitHub: MFA is mandatory for every engineer account (manually enforced); privileged users use hardware keys (Yubikey), others use Passkey or TOTP.
• AWS console access is limited to SRE staff and Head of Product and is protected by hardware security-key or passkey MFA; no SSO is currently in place.
• Account passwords must be randomly generated with at least 12 characters. Periodic password rotation is not currently enforced; instead, MFA and timely revocation mitigate credential-lifetime risk.
• Production compute workloads obtain permissions via short-lived AWS IAM roles (instance profiles); long-lived access keys are not used.

5. Access Request & Approval

1. Request privilege escalation through Head of Product.
2. Head of Product verifies legitimate need.
3. Head of Product handles or delegates the access grant.
4. Access granted by appropriate team (typically SRE).

6. Reviews

• Access reviews performed Bi-monthly (every 2 months) by system owners.

7. Revocation

HR off-boarding triggers removal workflow: * Remove access to: - Github - Sentry - IPA (Engineering Identify Management) - HQ (Internal Tool Portal) - Slack - Google Workspace - Datadog * Collect hardware.

8. Exceptions

Temporary elevated access managed via FreeIPA/Kerberos: login sessions valid for 8 hours, sudo escalation ~30 minutes; tickets auto-expire and cannot be transferred between systems.

9. Compliance

Non-compliance reported to ISM; disciplinary action possible.

Version 1.2 — effective 2025-09-01