Register Owner: CISO
Effective Date: June 13, 2026
Reviewed: Annually
Frameworks: SOC 2 CC6.1–CC6.3; ISO 27001 A.5.15–A.5.18, A.8.2, A.8.5. Visualizes the Access Control Policy and Access Matrix.
Effective Date: June 13, 2026
Reviewed: Annually
Frameworks: SOC 2 CC6.1–CC6.3; ISO 27001 A.5.15–A.5.18, A.8.2, A.8.5. Visualizes the Access Control Policy and Access Matrix.
Authentication & authorization paths
Controls
- Customers authenticate via WorkOS (SSO/OIDC + MFA) to the product.
- Workforce authenticate via Rippling (IdP/SSO + MFA) with role-based bundles; joiner/mover/leaver per Access Management and Offboarding.
- Admin panel and engineer access are gated by Cloudflare Access (Zero Trust); production-infrastructure access additionally requires Tailscale (device-bound) and uses Vault for workload secrets / break-glass.
- Least privilege + reviews: privileged access requires named approval; quarterly access reviews cover user, privileged, and service accounts (see Access Reviews). Entitlement baseline is the Access Matrix.
Cross-references
- Access Control Policy · Access Matrix · Access Management · Access Reviews
- Cryptography Policy · Network & Architecture Diagram
Version history
| Version | Date | Description | Author | Approved by |
|---|---|---|---|---|
| 1.0 | June 13, 2026 | Initial identity & access diagram. | Cameron Wolfe | Ishan Jadhwani |