Access Control Policy – SOC 2 Edition

This policy is aligned with the ISO 27001 Access Control Policy and highlights the controls most relevant to SOC 2.

1. Purpose

To ensure only authorised individuals can access Clerk.io systems and data, thereby satisfying TSC CC6.1–CC6.8.

2. Policy Statements

1. Identity Provider – All workforce access is federated through Google Workspace SSO with enforced MFA (security key preferred).
2. Role-Based Access Control (RBAC) – Access rights are granted based on least privilege and need-to-know principles.
3. Privileged Access – Elevated roles (e.g., AWS account root or IAM admin) require hardware security key and are time-boxed via JIT tooling.
4. Service Accounts – Non-human identities have long-lived credentials stored in AWS Secrets Manager and rotated ≤90 days.
5. Access Reviews – System owners review access bi-monthly; exceptions tracked to closure within 30 days.
6. On/Off-boarding – HR triggers automated provisioning/de-provisioning via Terraform Enterprise.
7. Physical Security – Production data centres are operated by Amazon Web Services (AWS) and hold SOC 2 & ISO 27001 certifications. Clerk.io offices require badge access and visitor logs.

3. Monitoring & Logging

All authentication events are streamed to the central SIEM (Datadog Security Monitoring) and correlated with HRIS data to detect orphaned accounts.

4. Exceptions

Emergency elevated access may be granted for ≤8 hours with Director approval; all such grants are auto-logged and reviewed post-mortem.

5. Enforcement

Non-compliance is handled per the Employee Handbook disciplinary process.

See Controls Matrix entries AC-01, AC-02, and AC-03 for evidence mapping.

Version 1.0