Access Control Policy¶
| Owner | Joshua Curci - CTO |
| Applies to | All staff, contractors, and any individual with access to Trove systems or data |
| Last reviewed | April 2026 |
| Review cycle | Annually |
Purpose¶
This policy defines how access to Trove systems, environments, and data is granted, managed, and revoked. It ensures that access is controlled on a least privilege basis, that privileged access is appropriately separated, and that access is removed promptly when no longer required.
Scope¶
This policy applies to all Trove systems including but not limited to:
- Google Workspace (email, Drive, Calendar, Meet)
- GitHub (source code, repositories, CI/CD pipelines)
- AWS (infrastructure, S3, SQS, KMS, CloudWatch)
- DuploCloud (cloud infrastructure management)
- Auth0 (identity and authentication platform)
- Stripe (payment processing)
- Sentry (error monitoring)
- ClickUp (project management)
- Slack (team communication)
- Figma (design)
- Any other tool or platform used to access, process, or store Trove data
Principles¶
All access decisions at Trove are based on the following principles:
Least privilege - individuals are granted only the access required to perform their role. Access is not granted broadly or speculatively.
Need to know - access to sensitive data is restricted to those who have a documented business need.
Separation of accounts - privileged and administrative accounts are separate from standard user accounts. An individual requiring both standard and privileged access must use separate credentials for each.
Individual accountability - shared credentials are not permitted. Every individual must have their own account so that actions can be attributed to a specific person.
Access Provisioning¶
Access to Trove systems is provisioned by the CTO (Joshua Curci) or COO (Johnny Reid).
When a new team member joins or a contractor is engaged, the following process applies:
- The CTO or COO determines which systems the individual requires access to based on their role
- Accounts are created using the individual's Trove email address where applicable
- MFA is configured at the point of provisioning - accounts must not be handed over without MFA in place
- Access is documented and the individual is informed of their responsibilities under this policy and the Information Security Policy
- Privileged or administrative access is provisioned separately and only where explicitly required by the role
Access is never self-provisioned. Requests for additional access must be directed to the CTO or COO.
Privileged Access¶
Privileged access includes administrative rights, production environment access, infrastructure management, and any access that could affect the security or availability of the platform.
Requirements for privileged access:
- Must be assigned to a dedicated account separate from the individual's standard account
- Dedicated privileged accounts are identified by a specific email format tied to the individual (not a shared admin account)
- Privileged access must only be used when required for the specific task - standard accounts should be used for day-to-day work
- Privileged actions in production environments should be logged where technically possible
- No contractor or third party should be granted persistent privileged access without explicit approval from the CTO
Multi-Factor Authentication¶
MFA is mandatory for all individuals across all Trove systems that support it. This is a non-negotiable requirement with no exceptions.
- MFA must be configured before an account is considered active
- MFA must not be disabled, bypassed, or shared with another person
- If an MFA device is lost or compromised, the CTO must be notified immediately so access can be suspended and re-provisioned
- Systems with mandatory MFA include: Google Workspace, GitHub, AWS, DuploCloud, and all other platform tools
Password Requirements¶
Where passwords are used, the following minimum requirements apply:
- Passwords must be unique to each system - password reuse across systems is not permitted
- Passwords must be sufficiently complex and not based on easily guessable information
- A password manager is recommended for managing credentials securely
- Passwords must never be shared with another person, stored in plain text, or sent via email or messaging platforms
- Default or vendor-supplied passwords must be changed immediately upon provisioning
Remote Access¶
Trove operates as a fully remote organisation. All access to Trove systems occurs over the internet. The following requirements apply:
- Public Wi-Fi networks (cafes, hotels, airports) must not be used to access sensitive systems without a VPN or equivalent encrypted connection
- Devices used to access Trove systems must comply with the device requirements set out in the Acceptable Use Policy and the Information Security Policy
- Screen sharing during video calls must not inadvertently expose credentials, admin panels, or sensitive data
Access Reviews¶
Access rights should be reviewed when:
- A team member changes role
- A contractor's engagement ends or is extended
- There is a suspected security incident
- As part of the annual review of this policy
The CTO is responsible for conducting access reviews and removing any access that is no longer required.
Access Deprovisioning (Offboarding)¶
When a team member leaves or a contractor's engagement ends, access must be revoked promptly. The following steps apply:
- The CTO or COO initiates deprovisioning on or before the individual's last day
- All accounts across all Trove systems are disabled or deleted
- Any shared credentials the individual may have had access to are rotated
- Company-owned assets (if any) are returned
- The individual is reminded of their ongoing confidentiality obligations
Access should be revoked on the same day as departure where possible. Access must not remain active after the individual's last day without explicit approval from the CTO.
Third-Party and Contractor Access¶
Contractors and third-party service providers (including the Arcanys development team) are subject to the same access control requirements as full-time staff.
Additional requirements for contractor access:
- Access is scoped to the systems and environments required for the engagement
- Contractors must not have persistent access to production environments without active supervision or a specific operational justification approved by the CTO
- Access is reviewed at the end of each engagement and removed unless explicitly renewed
- Contractors must not share their credentials with colleagues at their own organisation
See the Vendor Security Policy for broader third-party security requirements.
Non-Compliance¶
Failure to comply with this policy may result in immediate revocation of access and disciplinary action up to and including termination of employment or contract. Where a breach of this policy contributes to a security incident, it may also be reportable under the Breach Response Plan.