Effective Date: November 19, 2025 • Last Updated: November 19, 2025
1. Access Control Principles
1.1 Least Privilege
- Users receive only the minimum access necessary to perform their job functions
- Access is granted on a need-to-know basis
- Elevated privileges require documented justification
1.2 Separation of Duties
- No single individual has complete control over critical systems
- Changes to production require code review
- Financial and administrative functions are separated where possible
2. System Access
2.1 Production Systems
| System | Access Level | Personnel |
|---|---|---|
| Neon Database (Production) | Read/Write | Engineering team |
| Vercel Production | Deploy | Engineering team |
| Clerk Dashboard | Admin | Executive team |
| Sentry | View/Manage | Engineering team |
| PostHog | View | All team members |
2.2 Access Review
- Access rights reviewed quarterly
- Managers verify team member access is appropriate
- Unused access revoked promptly
3. Authentication Requirements
3.1 Multi-Factor Authentication (MFA)
MFA is required for:
- All production system access
- GitHub (organization level)
- Vercel, Neon, Clerk Dashboard
- 1Password
- Google Workspace
3.2 Implementation
All team members authenticate via Google OAuth with Google 2FA enabled on their accounts. This provides MFA for all integrated services.
3.3 Password Requirements
For systems not using OAuth:
- Minimum 12 characters
- Mix of uppercase, lowercase, numbers, and symbols
- No password reuse across systems
- Passwords stored in 1Password
4. Secrets Management
4.1 Storage
| Secret Type | Storage Location |
|---|---|
| Application secrets | Vercel environment variables |
| API keys | Vercel environment variables |
| Team passwords | 1Password |
| CI/CD secrets | GitHub Secrets |
4.2 Secret Handling Rules
- Never commit secrets to source code
- Never share secrets via email or chat
- Never store secrets in plaintext files
- Use 1Password for sharing credentials securely
- Rotate secrets when team members depart
5. Employee Offboarding Checklist
When an employee or contractor leaves Aurium, complete the following within 24 hours of departure:
5.1 Immediate Actions (Day of Departure)
- Disable Google Workspace account
- Remove from GitHub organization
- Remove from Vercel team
- Remove from Neon project
- Remove from Clerk organization
- Remove from 1Password team
- Remove from Sentry organization
- Remove from PostHog organization
- Remove from Slack workspace
- Remove from Trigger.dev
5.2 Within 24 Hours
- Rotate any secrets the employee had access to
- Review and revoke any API keys created by the employee
- Transfer ownership of any critical resources
- Remove from any customer-facing communications
5.3 Within 7 Days
- Audit access logs for last 30 days
- Ensure no unauthorized access after departure
- Update documentation and runbooks
- Collect any company equipment
6. Contact
For access requests or questions: security@aurium.ai