Access Control Policy

Last updated: February 22, 2026

This policy defines the access controls in place to limit access to Break Space Inc. production assets (physical and virtual) and sensitive data, ensuring that only authorized personnel have access.

1. Purpose

This policy defines the access controls in place to limit access to Break Space Inc. production assets (physical and virtual) and sensitive data, ensuring that only authorized personnel have access.

2. Principle of Least Privilege

Access to sensitive data and production systems is limited to authorized personnel with a valid, documented business need. Access is strictly restricted using the principle of least privilege.

3. Role-Based Access Control (RBAC)

Access rights are grouped by role. Users are assigned to roles based on their job responsibilities, and permissions are granted to the role rather than the individual user.

4. Authentication and MFA

Access is secured with strong authentication. Multi-factor authentication (MFA) is strictly enabled and required for access to all critical systems, including infrastructure providers, code repositories, and administrative access points.

5. Non-Human Authentication

System-to-system and non-human authentication (such as internal API communication) is secured using securely stored API tokens and TLS 1.2 (or higher) certificates.

6. Access Reviews and Revocation

Production access is periodically reviewed to ensure access levels remain appropriate. When an employee or contractor is terminated, or when access is no longer required for their role, access is revoked promptly.