💰SimpleMonth
Sign in

Access Controls Policy

SimpleMonth

1. Purpose

The purpose of this Access Controls Policy is to define how SimpleMonth restricts, manages, and monitors access to production systems and sensitive data to ensure confidentiality, integrity, and availability of user information.

Access controls are implemented to ensure that only authorized users and systems can access data and services required to operate the platform.

2. Scope

This policy applies to:

  • All SimpleMonth production systems and infrastructure
  • User data stored or processed by the application
  • Administrative access to databases, hosting environments, and third-party services
  • Employees, contractors, and service accounts with access to production resources

3. Identity and Authentication

User Authentication

  • End users authenticate using Supabase Auth.
  • Passwords are securely hashed using industry-standard algorithms and are never stored in plaintext.
  • Email verification is required for account activation.
  • Sessions are managed using secure, expiring authentication tokens.

Administrative Authentication

  • Administrative access to infrastructure (Supabase, Vercel, cloud services) is restricted to authorized personnel only.
  • Strong authentication methods are required, including multi-factor authentication where supported by the provider.

4. Authorization and Role-Based Access Control (RBAC)

  • SimpleMonth enforces role-based access control (RBAC) at the application and database levels.
  • End users are only permitted to access data associated with their own accounts.
  • Database access is enforced using Row Level Security (RLS) policies to prevent unauthorized cross-user access.
  • Service accounts are scoped with the minimum permissions required to perform their intended function.

5. Principle of Least Privilege

  • Access to systems and data is granted based on the principle of least privilege.
  • Users and services are only given the minimum access necessary to perform their roles.
  • Elevated access (administrative or production access) is restricted and limited to essential use cases.

6. Access Provisioning and De-Provisioning

  • Access to production systems is provisioned manually and intentionally.
  • When access is no longer required, credentials and permissions are revoked promptly.
  • Service credentials and API keys are rotated or invalidated as needed.

7. Environment and Infrastructure Controls

  • Sensitive credentials (API keys, database credentials) are stored in secure environment variables and are not hardcoded.
  • Production and non-production environments are logically separated.
  • Hosting and infrastructure providers (e.g., Supabase, Vercel) provide additional access controls and audit logging.

8. Monitoring and Logging

  • Access to production systems is logged where supported by infrastructure providers.
  • Application activity is monitored for abnormal or unauthorized behavior.
  • Security-relevant events are reviewed as part of incident response procedures.

9. Incident Response

  • Suspected unauthorized access or security incidents are investigated promptly.
  • Access credentials may be revoked or rotated as part of incident containment.
  • Users are notified when required by applicable laws or contractual obligations.

10. Policy Review

This policy is reviewed periodically and updated as the platform, team, or security posture evolves.

Changes to access control mechanisms are evaluated to ensure continued protection of user data.

11. Contact

Questions regarding this Access Controls Policy can be directed to:

info@simplemonth.com