Access Control Policy

Last updated: March 11, 2025

Purpose

ItemIQ ("we," "our," or "us") maintains this Access Control Policy to ensure that access to systems, applications, and personal data is restricted based on the principle of least privilege. This policy applies to all personnel, contractors, and third parties who may access our systems or process personal data on our behalf.

Principle of Least Privilege

We restrict personal data access to systems based on the principle of least privilege. Access is granted only to the minimum level necessary for individuals to perform their job functions. No user receives default access to sensitive or personal data beyond what is required for their role.

Access Control Requirements

Role-Based Access Control (RBAC)

  • Access to systems and data is assigned based on defined roles and job responsibilities
  • Roles are documented and reviewed periodically
  • Access rights are provisioned and deprovisioned according to role changes or employment status

Access Authorization

  • All access requests require formal approval from designated authorizers
  • Access to personal data systems requires additional authorization and justification
  • Privileged access (administrative, root, or elevated permissions) requires enhanced approval and logging

Access Restrictions for Personal Data

  • Personal data access is restricted to authorized personnel with a legitimate business need
  • Database and application access to user data is controlled through authentication and authorization mechanisms
  • Production access to personal data is limited and monitored

Authentication and Identity Management

  • Multi-factor authentication (MFA) is required for access to systems containing personal data
  • Strong password policies are enforced across all systems
  • Session management and timeout controls limit exposure of active sessions

Access Review and Revocation

  • Access rights are reviewed at least annually or upon role change
  • Access is revoked immediately upon termination of employment or contract
  • Dormant or unused accounts are identified and disabled

Third-Party Access

Third-party access to our systems or personal data is governed by contractual agreements, limited to specified purposes, and subject to the same least-privilege principles. Access is monitored and audited.

Policy Compliance

Violations of this policy may result in disciplinary action up to and including termination. This policy is reviewed and updated periodically to reflect changes in technology, business operations, or regulatory requirements.

Related Documents

Contact

For questions about this Access Control Policy, contact: