Access Review & Audit Policy

Effective Date: April 23, 2026

1. Purpose

This policy establishes procedures for periodic access reviews and audits to ensure that access to VaultKeeper systems remains appropriate, authorized, and aligned with the principle of least privilege.

2. Review Schedule

3. Review Procedures

Each access review includes the following steps:

• Inventory: List all accounts with access to the system under review
• Validate: Confirm each account still requires access and the access level is appropriate
• Revoke: Remove access for accounts that no longer require it (e.g., former team members, unused service accounts)
• Document: Record review date, findings, and any actions taken
• Escalate: Report any anomalies (unexpected accounts, excessive permissions) for investigation

4. Audit Scope

Access audits cover:

• User accounts and their roles/permissions across all systems
• Service accounts and API keys
• MFA enrollment status for all accounts
• Firebase Security Rules for any unintended access paths
• Cloudflare Worker environment variables and secrets
• Active Plaid and Teller integrations and their token status

5. Audit Logging

The following logs are maintained and reviewed:

• Firebase Authentication sign-in and admin activity logs
• Cloudflare dashboard access logs
• GitHub repository access and commit history
• Changes to Firebase Security Rules

6. Findings and Remediation

Issues identified during access reviews are addressed as follows:

• Unauthorized access: Revoked immediately, investigated for potential breach
• Excessive permissions: Reduced to appropriate level within 7 days
• Missing MFA: MFA enrollment required within 48 hours
• Stale accounts: Disabled immediately, deleted after 30-day hold

7. Compliance Records

Access review records are retained for a minimum of 2 years and include: review date, reviewer, systems reviewed, findings, and actions taken.

8. Policy Review

This policy is reviewed at least annually.