Skip to content

Access Control Procedures

Ouva applies least-privilege and role-based access controls across internal systems and customer-facing services.

  • Every user account is uniquely identifiable and tied to an individual or approved service identity.
  • Access is granted based on job function, approved use case, and minimum required scope.
  • Shared accounts are avoided unless technically required, and then controlled with compensating safeguards.
  • New access requires system-owner approval and role definition before enablement.
  • Access changes are processed when responsibilities change.
  • Access is revoked promptly when employment, contract, or business need ends.
  • Temporary or emergency access is time-bound and documented.
  • Multi-factor authentication is required for administrative and production system access where supported.
  • Passwords must be unique, high-entropy, and stored only in approved password-management tooling.
  • Default passwords and default vendor accounts are changed or disabled before production use.
  • Access from unmanaged endpoints may be restricted based on risk, including network controls such as allowlists when required.
  • Elevated permissions are granted to a limited set of authorized personnel.
  • Privileged actions are scoped to approved maintenance, support, and security operations.
  • Break-glass access follows an approval and audit process, with post-event review.
  • Access to customer data is limited to personnel who require it for support, operations, or security responsibilities.
  • Access is logged and attributable to a specific identity.
  • Customer environments and tenant data are logically isolated to prevent cross-tenant access.
  • Authentication and authorization events are logged for auditability.
  • Privileged access assignments are reviewed on a recurring cadence and adjusted as needed.
  • Dormant or unnecessary access is removed during periodic access recertification.

For platform authentication and SSO implementation details, see Authentication & SSO. For tenant isolation and data encryption controls, see Security & Privacy Controls.