Access Control Policy
1. Purpose
This policy defines the access control requirements for CommVergent Automation LLC and all software platforms we develop and operate, including Elysian Money, FigrOut, BildOut, and HackHunters. The purpose is to ensure that access to production systems, infrastructure, and sensitive consumer data is granted on a least-privilege basis and is appropriately controlled, monitored, and revoked when no longer required.
2. Scope
This policy applies to:
- All personnel (employees, contractors, and consultants) with access to CommVergent Automation systems
- All production infrastructure including cloud hosting platforms, database systems, source code repositories, and deployment pipelines
- All third-party integrations that access or process consumer data on behalf of CommVergent Automation
3. Access Control Principles
CommVergent Automation enforces the following core principles across all systems:
3.1 Least Privilege
Access rights are granted at the minimum level required to perform a defined function. No user, service account, or API key is granted broader access than its specific role requires.
3.2 Role-Based Access Control (RBAC)
Access to systems and data is governed by defined roles. Roles are assigned based on job function and are reviewed when responsibilities change.
3.3 Separation of Environments
Development, staging, and production environments are isolated. Production credentials are never used in development or staging. Production data is never replicated to non-production environments.
3.4 No Shared Credentials
Shared passwords and shared API keys are prohibited. Each person and each service has unique credentials.
4. Application-Level Access Control
4.1 Elysian Money
Elysian Money enforces role-based access at the database layer using PostgreSQL Row-Level Security (RLS). Access roles within the application are:
| Role | Permissions |
|---|---|
| Owner | Full read/write access to their entity's financial data |
| Member | Read/write access to shared household data |
| Viewer | Read-only access to shared household data |
RLS policies are enforced at the database level, ensuring that data isolation between users cannot be bypassed at the application layer.
4.2 Other Platforms
FigrOut, BildOut, and HackHunters implement role-based access appropriate to their respective user models. All platforms enforce authentication before any data access is permitted.
5. Infrastructure Access Control
5.1 Cloud Platforms
Access to cloud management consoles (Vercel, Supabase, hosting providers) is restricted to authorized personnel only. Multi-factor authentication (MFA) is required for all personnel accessing these consoles.
5.2 Database Access
Direct database access is restricted to authorized administrators. Application services access the database using scoped service accounts with the minimum permissions required. The Supabase service role key is used only in server-side contexts and is never exposed to client-side code or logged.
5.3 Source Code Repositories
Access to source code repositories (GitHub) is restricted to authorized personnel. MFA is enforced on all repository accounts. Production secrets are never committed to source code.
5.4 API Keys and Secrets
All API keys, access tokens, and secrets are:
- Stored in environment variable systems provided by the hosting platform
- Never hardcoded in source code
- Never logged in application logs or error messages
- Rotated immediately upon suspected compromise
6. Third-Party Access
Third-party services that access or process consumer data on behalf of CommVergent Automation are evaluated prior to integration for their security practices. Current authorized third-party processors include:
| Provider | Access Granted | Purpose |
|---|---|---|
| Plaid | Read-only financial account data via access tokens | Bank connectivity |
| Supabase | Database storage and authentication | Application data layer |
| Vercel | Application hosting and deployment | Platform infrastructure |
| Stripe | Payment and subscription data | Billing |
Third-party access is reviewed when integrations change or when a provider's security posture materially changes.
7. Access Provisioning and Revocation
Provisioning: Access to production systems is granted only upon verified need and authorized by CommVergent Automation's designated administrator.
Revocation: Access is revoked immediately when a person's role changes, engagement ends, or access is no longer required. This includes:
- Revoking cloud console access
- Rotating or invalidating shared secrets if any were used
- Removing repository access
Service accounts: API keys and service account credentials for departed contractors or decommissioned services are rotated immediately upon termination of the engagement or service.
8. Authentication Requirements
| System | MFA Required | Password Policy |
|---|---|---|
| Cloud consoles (Vercel, Supabase) | Yes | Strong password + MFA |
| Source code repositories (GitHub) | Yes | Strong password + MFA |
| Application end users (Elysian Money) | Planned | Email verified account |
9. Monitoring and Audit
- All ledger mutations in Elysian Money are recorded in an append-only audit log capturing actor, timestamp, action, and affected resource.
- Authentication events (login, logout, failed attempts) are logged by Supabase Auth.
- Production deployment events are logged by Vercel.
- Access control policy compliance is reviewed annually or following a significant change to personnel, systems, or platform architecture.
10. Policy Violations
Violations of this policy — including unauthorized access attempts, sharing of credentials, or circumventing access controls — are treated as serious security incidents. Violations by contractors or third parties may result in immediate termination of engagement and may be reported to relevant authorities.
11. Policy Review
This policy is reviewed annually by CommVergent Automation's designated security owner. Updates are made as needed to reflect changes in personnel, platform architecture, regulatory requirements, or security best practices.
Approved by:
Kandus MacMillan
Founder, CommVergent Automation LLC
April 2026
Contact:
security@commvergent.com