Access control, RBAC and MFA
We control who can see data using role-based access control (RBAC), multi-factor authentication (MFA), device posture checks, and continuous access reviews. Every access decision is logged and auditable.
Core access principles
Least privilege (RBAC)
Every user and service is assigned the minimum permissions needed for their role. Roles expire automatically after 90 days without review approval.
Multi-factor authentication (MFA)
Authenticator apps, SMS codes, or hardware tokens are mandatory for all internal users and client admins. MFA bypass is disabled.
Device posture and compliance checks
Internal agents use managed laptops with endpoint detection and response (EDR), disk encryption, and automatic patching. Non-compliant devices are blocked.
Monthly access reviews and logs
Leads review who has access to personal data every month. Dormant accounts are deactivated. Access logs show who viewed what, when, and from which IP.
Role-based access examples
| Role | Permissions | MFA | Device check | Review cycle |
|---|---|---|---|---|
| Agent (verification specialist) | View assigned cases, upload evidence, add notes | Yes | Yes | Monthly |
| Supervisor | View team cases, approve outcomes, escalate risky verifications | Yes | Yes | Monthly |
| Client admin | View own organisation results, manage team access, download reports | Yes | No | Quarterly |
| DevOps engineer | Manage infrastructure, view logs, rotate keys | Yes + hardware token | Yes | Monthly |
| Data Protection Officer | Audit logs, respond to rights requests, manage retention schedules | Yes | Yes | Quarterly |
Technical access controls
IP whitelisting for high-risk routes
Admin panels, KMS key operations, and bulk data exports are restricted to office IPs and approved VPN ranges. Requests outside the whitelist are blocked and logged.
Session timeouts and screen locks
Web sessions expire after 30 minutes of inactivity. Internal tools lock after 5 minutes. Agents use session PINs to unlock screens without re-authenticating.