Access Control Policy

Effective Date: April 23, 2026

1. Purpose

This policy defines access control requirements for all VaultKeeper systems, including role-based access control (RBAC), authentication standards, and access provisioning procedures to ensure that only authorized individuals can access consumer data and production systems.

2. Authentication Requirements

2.1 Consumer-Facing Application

Users authenticate via Firebase Authentication (email/password or Google Sign-In)
Multi-factor authentication (MFA) is supported and encouraged
Optional app-level lock (4-digit passcode with biometric via WebAuthn) provides additional device-level protection

2.2 Internal Systems

Multi-factor authentication (MFA) is required for all internal systems that store or process consumer data
This includes: Firebase Console, Cloudflare Dashboard, Plaid Dashboard, Teller Dashboard, GitHub, and any CI/CD systems
Hardware security keys or authenticator apps are the preferred MFA methods

3. Role-Based Access Control (RBAC)

3.1 Internal Roles

Role	Access Level	Description
Owner/Admin	Full	Full access to all infrastructure, dashboards, and production data
Developer	Limited	Code repository access, staging environments, no direct production data access
Read-Only	View	Dashboard viewing for monitoring purposes only

3.2 Application Roles

Role	Access Level	Description
Household Owner	Full	Full read/write to own data node, can invite/remove members
Household Member	Shared	Read/write to owner's shared data node, cannot manage membership
Individual User	Own Data	Read/write to own data only, isolated from all other users

3.3 Firebase Security Rules

Database access is enforced at the infrastructure level through Firebase Security Rules. Users can only read/write data under their own UID or, for household members, under the household owner's UID. Rules are version-controlled in database.rules.json.

4. Access Provisioning

Access to internal systems is granted only when there is a documented business need
All access grants follow the principle of least privilege
Privileged access (admin roles) requires explicit approval

5. Access De-provisioning

When a team member is terminated or transferred:

Access to all systems is revoked within 24 hours
API keys and tokens associated with the individual are rotated
Access removal is logged and verified

See our Employee Access Management Policy for detailed procedures.

6. Access Reviews

Periodic access reviews are conducted to ensure compliance. See our Access Review Policy for audit schedules and procedures.

7. Third-Party Access

Third-party services (Firebase, Cloudflare, Plaid, Teller) access data only as required to provide their services. Access tokens for bank connections are scoped to the minimum permissions required and can be revoked by the user at any time.

8. Policy Review

This policy is reviewed at least annually or upon significant changes to the system or team structure.