Appcircle System Access Control Policy¶
Effective date: 2026-02-05 Last reviewed: 2026-02-05 Policy owner: Engineering Management (Security Program Owner)
Purpose¶
This policy defines the requirements for controlling logical access to Appcircle's systems and data. It establishes how access is granted, maintained, reviewed, and revoked to protect information assets from unauthorised access while enabling authorised users to perform their roles effectively.
Scope¶
This policy applies to:
- Appcircle's workforce (employees, contractors, and temporary staff) and any third parties granted access to Appcircle systems or data.
- All systems that store, process, or transmit restricted, confidential, or otherwise sensitive information, including cloud infrastructure, corporate applications, and product services.
- Appcircle's production infrastructure hosted on Google Cloud Platform, and corporate systems including GitHub, Microsoft 365, Bitwarden, Linear, and other approved applications.
Self-hosted customer deployments operate under the customer's own access control responsibility.
Policy principles¶
- Least privilege: Access is granted at the minimum level required to perform a legitimate business function. No excess permissions are assigned by default.
- Individual accountability: All access is assigned to named individuals. Shared or generic accounts are not permitted except where technically unavoidable and explicitly approved.
- Need-to-know: Access to sensitive data is restricted to those with a documented business need.
- Separation of duties: Critical functions are divided across roles to reduce the risk of error or misuse.
Access provisioning¶
Access to systems and data requires formal approval prior to provisioning. Provisioning is documented through the onboarding checklist or an equivalent approved request, capturing the required access and the identity of the approver.
Default passwords are changed upon first use. All accounts are individually named and attributed to the person or system requiring access.
Authentication requirements¶
All user access to Appcircle systems must be authenticated using:
- Strong passwords managed via the approved enterprise password manager (Bitwarden), in accordance with the Password Policy.
- Multi-factor authentication (MFA), enforced for all applicable systems via Microsoft Entra ID Conditional Access policies.
- Single sign-on (SSO) via Microsoft Entra ID, applied wherever the system supports it.
Authentication credentials must not be shared, written down in plaintext, or stored outside approved and secure mechanisms.
Privileged access¶
Privileged access — including the ability to create or modify accounts, change security configurations, or administer infrastructure — is restricted to the minimum number of personnel required to maintain operational continuity.
Privileged access is subject to heightened scrutiny during periodic reviews and is documented separately from standard user access.
Periodic access review¶
Access to all systems is reviewed at least quarterly to confirm that each access grant reflects a current and legitimate business need. Reviews identify and remediate:
- Accounts that should have been revoked following role changes or offboarding.
- Excessive permissions accumulated over time.
- Orphaned or inactive accounts.
Offboarding and access revocation¶
System access for departing personnel (employees, contractors, and vendors) is revoked within one business day of the effective separation date.
The offboarding process includes:
- Notification to system administrators to execute access revocation across all in-scope systems.
- Return of company-issued devices, access mechanisms, and credentials.
- Immediate revocation if access misuse is suspected or a credential compromise is identified.
Access permissions and restrictions¶
Personnel may only access systems and data necessary for their role. Access to torrent sites, peer-to-peer services, or the dark web from Appcircle systems is prohibited. Approved systems and permitted uses are defined in the Acceptable Use Policy.
Roles and responsibilities¶
- Engineering Management (Policy Owner): Owns this policy; ensures review, updates, and communication; approves exceptions.
- Engineering / Platform / Operations: Provisions and revokes access; enforces authentication controls; conducts and documents access reviews.
- All personnel: Read, acknowledge, and comply with this policy; report suspected unauthorised access or credential compromises promptly.
Regulatory alignment¶
This policy supports compliance with:
- SOC 2 (Trust Services Criteria — Logical and Physical Access Controls)
- ISO/IEC 27001:2022 (A.5.15–A.5.18 Access control, A.8.2–A.8.5 Identity and authentication)
- GDPR (Article 32 — Security of processing)
- KVKK (Article 12 — Data security obligations)
Exceptions¶
Exceptions to this policy must be:
- Documented with justification, scope, duration, and compensating controls.
- Approved by the policy owner or an authorised delegate.
- Reviewed before expiry and retired when no longer required.
Policy review and updates¶
This policy is reviewed at least annually and when significant changes occur to systems, organisational structure, or regulatory requirements.
Note
This public policy describes Appcircle's access control posture at a high level. Detailed internal standards and procedures (including specific access request workflows, review cadences, privileged access controls, and system-level configurations) are maintained separately and may be shared under appropriate agreements when required.
Related policies¶
- Information Security Policy
- Acceptable Use Policy
- Password Policy
- Endpoint Device Security Policy
- Logging and Monitoring Policy
- Vendor Management Policy