Owner: CISO
Effective Date: May 8, 2026
Reviewed: Annually
Frameworks: SOC 2 CC6.1 / CC6.2 / CC6.3 (access-rights review); ISO/IEC 27001 A.5.18 (access rights). Implements the Access Control Policy.
Access-rights reviews are performed quarterly to verify that user access is limited to systems required for their job function. Reviews are documented and are required for SOC 2.

Cadence

  • User account review — quarterly, owned by the CISO.
  • Privileged / admin account review — quarterly, owned by the CISO.
  • Service account review — quarterly, owned by the CISO.
  • Triggered review — performed on any role change (promotion, demotion, transfer).

Process

  1. Pull the current user list per system from Vanta access reviews (which ingest identity-of-record from Rippling and reconcile against the Standard Access Matrix). Vanta is the review system of record; Rippling remains identity-of-record and the Access Matrix is the entitlement baseline. Spot-check against the system’s native admin console where the system isn’t fully Vanta-integrated.
  2. The system owner reviews each user’s access against their current role.
  3. Owner marks each row Approved / Modify / Revoke.
  4. IT executes changes within 5 business days.
  5. Evidence (signed-off review document) is filed in the SharePoint evidence library used for SOC 2 / ISO 27001 audits. Each review record captures the reviewer name, the approver / sign-off name, and the date the review was completed.

Systems in scope

SystemOwnerLast reviewed
AWS (Identity Center / IAM)CTOPending Q2 2026
Vultr (master + sub-accounts; API keys)CTO + CISOPending Q2 2026
GitHub (neuroscale org)Engineering Lead (CTO)Pending Q2 2026
Rippling (IdP / SSO / HRIS / MDM)CHRO + CISOPending Q2 2026
Production database (Aurora / Postgres)Engineering Lead (CTO)Pending Q2 2026
Microsoft 365 (Outlook / SharePoint)CISOPending Q2 2026
Better Stack (logs + on-call)CISOPending Q2 2026
LinearCTOPending Q2 2026
Dashlane (admin)CISO + CFOPending Q2 2026
HashiCorp Vault (auth methods, policies, root token holders)CTO + CISOPending Q2 2026
VantaCISOPending Q2 2026
Cloudflare One (Access / Gateway)CISOPending Q2 2026
Tailscale (production cohort)CISO + CTOPending Q2 2026
WorkOS (customer-side auth)CISOPending Q2 2026
Portkey AI (LLM gateway)CTO + CISOPending Q2 2026
Checkr (background screening)CHROPending Q2 2026

Records

Records of permission and privilege changes are retained for at least one year.

Version history

VersionDateDescriptionAuthorApproved by
1.0May 8, 2026Initial versionCameron WolfeIshan Jadhwani