5 controls
Operational across the product, the underlying platform, and the engineering team.
- 01Multi-factor authentication enforced on every production-access account across all infrastructure providers
- 02Privileged access restricted to the lead engineering team
- 03Quarterly access reviews; departure-triggered access removal verified before the departure is closed
- 04Account lifecycle events (creation, role change, deactivation) recorded and auditable; deactivation revokes active sessions immediately
- 05Service-account credentials scoped per least-privilege; rotated on personnel change or suspected exposure