All Policies
Employee Access Management Policy
Effective Date: April 23, 2026
1. Purpose
This policy establishes procedures for provisioning, modifying, and de-provisioning access to VaultKeeper systems when team members join, change roles, or leave the organization.
2. Access Provisioning (Onboarding)
When a new team member joins:
- Access is granted based on role assignment per the Access Control Policy
- Only the minimum necessary permissions for the role are granted
- MFA enrollment is required before access is granted to any system containing consumer data
- The new member acknowledges the Information Security Policy
3. Systems Requiring Access Management
| System | Access Method | De-provisioning Method |
|---|
| GitHub Repository | GitHub organization invite | Remove from organization |
| Firebase Console | Google account with IAM role | Remove IAM binding |
| Cloudflare Dashboard | Team member invite | Remove team member |
| Plaid Dashboard | Team member invite | Remove team member |
| Teller Dashboard | Account credentials | Reset credentials, revoke access |
4. Access Modification (Role Change)
When a team member changes roles:
- Previous role permissions are reviewed and removed if no longer needed
- New role permissions are granted per the Access Control Policy
- Changes are completed within 48 hours of the role change
- Access modification is documented
5. Access De-provisioning (Offboarding)
When a team member is terminated or leaves the organization, the following steps are completed within 24 hours:
- Remove access from all systems listed in Section 3
- Rotate any shared secrets or API keys the individual had access to
- Review recent activity logs for the departing member
- Revoke any active sessions or tokens
- Update the Cloudflare Workers secrets if the individual had access to production environment variables
6. Emergency De-provisioning
In cases of termination for cause or suspected security compromise:
- All access is revoked immediately (within 1 hour)
- All secrets and credentials the individual had access to are rotated immediately
- Activity logs are preserved and reviewed for unauthorized actions
- Incident response procedures are initiated if unauthorized access is detected
7. Verification
After any de-provisioning event:
- A second team member verifies that access has been fully removed
- Verification is documented with date and verifier
8. Automation
Where supported by the platform, automated de-provisioning is configured:
- GitHub organization member removal cascades to repository access
- Firebase IAM removal is effective immediately
- Cloudflare team member removal revokes dashboard access instantly
9. Policy Review
This policy is reviewed at least annually or when organizational changes occur.