Access Control Policy — SOVAI Technology LLC
Starting draft — to be reviewed and formalized as the company grows; not yet audited against any certification framework (SOC 2 is on the roadmap).
Purpose
Define who may access SOV AI systems and customer data, and how that access is granted, used, and revoked.
Principle of Least Privilege
Every person and system component gets the minimum access needed to do its job. Access is granted for a specific need, not by default.
Account Types
- Customer accounts — end users of SOV AI, scoped to their own organization.
- Staff/admin accounts — internal team accounts, kept separate from customer accounts with separate authentication. Staff access is limited to what operations and support require.
Authentication
- Passwords are hashed with bcrypt; plaintext passwords are never stored.
- Sessions use session-cookie authentication.
- Authentication endpoints are rate limited to slow credential-stuffing and brute-force attempts.
- All traffic is encrypted in transit (TLS).
Authorization
Tenant isolation is enforced at the application layer: every query is scoped to the requesting user's organization. Customer files live in private storage buckets and are served only via short-lived signed URLs — never public links.
Privileged Access
- The database service-role key is restricted to the application/server environment. It must never be embedded in client code, shared personally, or used outside production infrastructure.
- Production access (Render, Supabase, Stripe, Resend, AI provider consoles) is limited to the small set of team members who operate the service.
Onboarding and Offboarding
- Onboarding: grant only the accounts and roles the new team member's work requires, at the time they are needed.
- Offboarding: revoke all access promptly on departure or role change — staff accounts, provider console access, and any shared credentials (rotate keys if a departing member had access to them).
Access Review
Periodically review who holds staff/admin accounts and production console access, and remove anything no longer needed.
Reporting
Report suspected unauthorized access, over-broad permissions, or any access-control concern to admin@sovaitech.com.