1. Purpose
This policy defines how SlashLogixx grants, reviews, and revokes access to production systems, customer data, source code, and administrative tooling for the Spark platform and all SlashLogixx-operated products.
2. Scope
Applies to every SlashLogixx employee, contractor, automated agent, and third-party subprocessor who can authenticate to any SlashLogixx system or environment that processes, stores, or transmits customer data.
3. Identity
- Every person has a single, named identity. Shared accounts are prohibited in production.
- Automated agents and services use dedicated service identities, scoped per integration, with no human use.
- Identity provisioning, modification, and deprovisioning are logged and retained for at least twelve (12) months.
4. Authentication
- Multi-factor authentication is required on every account with access to production systems, source-code repositories, cloud consoles, billing portals, and DNS.
- MFA factor strength: time-based one-time password (TOTP) at minimum; hardware security keys (FIDO2) preferred for administrative roles.
- Passwords are never reused across systems and must satisfy a minimum entropy bar (NIST 800-63B aligned).
- SSH and API keys are stored in a managed secrets backend, never in source control, never in plain-text configuration files.
5. Authorization — Least Privilege
- Access is granted on a need-to-know, need-to-use basis. Default posture is deny; permissions are explicit.
- Production access (write access to customer data, infrastructure, or release pipelines) is scoped to the smallest set of personnel required to operate the platform.
- Administrative privileges are time-bound where the underlying system supports it (just-in-time elevation) and reviewed quarterly.
- No single individual can both ship code to production and unilaterally disable audit logging.
6. Key & Secret Management
- Long-lived API keys are rotated at least every ninety (90) days or immediately on suspicion of compromise.
- Encryption keys for data at rest are managed in a key-management service (KMS), rotated annually, and access-logged.
- Cryptographic secrets are never transmitted by email, chat, or ticket; they are exchanged only through the managed secrets backend.
7. Review
- Access reviews are conducted quarterly. Each privileged role is reviewed by the role owner and a second reviewer.
- Anomalies surface to Security within five (5) business days of discovery and are remediated or accepted in writing with rationale.
8. Revocation
- Revocation on departure or role change is initiated within one (1) business hour of HR notification and completed within twenty-four (24) hours across every connected system.
- Suspected credential compromise triggers immediate revocation of the affected credential and forensic review under the Incident Response policy.
9. Audit Logging
- Authentication events, privilege elevations, and access to customer data are logged with sufficient detail to reconstruct activity.
- Logs are forwarded to a tamper-evident store; retention is no less than twelve (12) months.
- Log integrity is verified on ingest. Direct modification or deletion of audit logs is prohibited and monitored.
10. Customer-Side Access (Spark Studio & OnPrem)
For Spark Studio and Spark OnPrem deployments, SlashLogixx has no operational access to the customer's runtime environment. The customer is the sole administrator. This policy governs SlashLogixx-operated systems only; customers operating Spark on their own infrastructure are responsible for an equivalent control set on their side.
11. Exceptions
Exceptions require a written request, a documented business justification, a stated expiration date, and approval from the Security owner. Open exceptions are reviewed monthly.
12. Contact
Questions, evidence requests, or reports of suspected access misuse: security@slashlogixx.com.