Access control policy
Last reviewed 2026-05-18
Scope
All user-facing and administrative access to HiringCoachAI production systems, including: the application (via Firebase Auth / NextAuth), Firebase console, Google Cloud console, Vercel dashboard, Stripe dashboard, SendGrid, Sentry, analytics vendors, and any other tooling that touches customer data.
Current personnel posture
As of 2026-05-11, production, source-code, customer-data, and vendor-dashboard access is limited to the Security Officer.
Limited internal-document collaboration does not include customer-data access, source-code access, production access, or vendor-dashboard access. Third-party background screening is required before any worker, regardless of worker type, is granted sensitive-system access (customer data, source code, production systems, or vendor dashboards); see the background checks policy. Non-sensitive access (such as internal-document collaboration) does not trigger the screening requirement.
Principles
1. Least privilege: every identity receives the minimum permissions required. 2. Deny by default: Firestore rules, cloud IAM, and API authorization start from deny. 3. Separation of duties: current administrative accounts are required by policy to use Google Account MFA at the identity-provider layer, and selected admin actions are audit-logged; production data-modifying scripts require explicit approval by the Security Officer. 4. Regular review: quarterly access review (see internal audit program). 5. Prompt revocation: target within 24 hours of offboarding or role change.
Roles (application)
| Role | Description | Scope |
|---|---|---|
admin | HiringCoachAI staff admin | Cross-tenant read; support actions; no PII export without Security Officer approval |
| Non-administrator (default) | Authenticated end user | User-scoped: read/write own records only |
Authorization is enforced in API routes and firestore.rules using administrator status held in the Firestore admins collection.
Roles (platform / cloud console)
| Role | Who | Platform access |
|---|---|---|
| Security Officer | Administrative owner | All |
| Engineering | Engineering personnel | Vercel (dev + preview), Firebase (dev + staging), Sentry (read + triage) |
| Production-Break-Glass | Security Officer only | Firebase prod console, GCP IAM, Stripe live |
Break-glass access is logged with date, reason, duration, and Security Officer review in the restricted break-glass register.
Authentication requirements
- Customers: Email magic link or OAuth (Google/LinkedIn/Facebook). Application-level TOTP MFA is available as an opt-in setting on the user's
/accountSecurity tab (RFC 6238 authenticator apps; one-time backup codes; AES-256-GCM at rest; anti-replay enforced server-side; defined re-challenge window). - Admins: Current administrative accounts are required by policy to use Google Account MFA at the identity-provider layer. Server-side admin authorization checks are enforced on every protected API route, and administrators may also enroll in application-level TOTP MFA on
/account/security. - Platform tools: Work and vendor-dashboard accounts used for administrative access, including Vercel, Firebase, Google Cloud, Stripe, SendGrid, Sentry, GitHub, email, and domain administration, are configured and reviewed for MFA coverage under the acceptable-use policy. Quarterly access reviews verify that administrative vendor-dashboard access remains appropriate and MFA-protected.
Password rules
Production customer authentication is passwordless today (email magic link or OAuth). For the optional non-production test-credentials path, and for any future password fallback:
- Minimum 8 characters for the current non-production test-credentials path; any future customer-facing single-factor password fallback must use the then-current NIST SP 800-63B minimum before release (SP 800-63B-4 currently requires 15 characters for single-factor passwords, or 8 characters when the password is used only as part of MFA)
- HIBP k-anonymity check: reject known-breached passwords when HIBP responds; fail open on HIBP vendor outage to preserve availability
- No composition rules
- No forced rotation (rotate only on suspected compromise)
- Account lockout: 5 failures / 15 min soft-lock; 10 failures hard-lock requiring email re-verification
Session management
- Customer idle timeout: 30 min
- Customer absolute max: 7 days
- Admin idle timeout: 15 min
- Admin absolute max: 12 hours
- Users can view current-session metadata and revoke the current session or all sessions at
/settings/sessionsand/account/sessions; JWT sessions do not maintain a full per-device session inventory - Administrator sessions are bounded by the idle (15 min) and absolute (12 hour) timeouts above; administrator actions on selected endpoints are recorded in the append-only audit log.
Provisioning / deprovisioning
| Event | Action | Target |
|---|---|---|
| New full-time employee | Access granted to least-privilege scope on tools needed after approval by the Security Officer; background check required before sensitive access | Within 1 business day |
| Contractor | Access granted only to Security-Officer-approved least-privilege scope; third-party background screening required before any sensitive-system access per the background checks policy | Within 1 business day |
| Limited internal-document collaborator | Access limited to approved internal documents unless the Security Officer approves a broader least-privilege scope; third-party background screening required before any sensitive-system access per the background checks policy | Within 1 business day |
| Role change | Access adjusted via ticket + approval by the Security Officer | Within 2 business days |
| Offboarding | All access revoked; MFA removed; tokens rotated; emails archived | Within 24 h |
| Customer signup | Standard non-administrator access assigned automatically | Immediate |
| Customer deletion | Cascading deletion across active product data, authentication/session records, pilot-program identifiers (with anonymized usage retention), and Stripe subscription cancellation. Vendor-side deletion outside Stripe handled through DSR. | Per the data retention policy |
| Suspected compromise | Session revoke all; password reset; tokens rotated; audit-log review | Within 1 hour |
A Joiners / Movers / Leavers checklist is maintained as internal evidence.
SCIM / SSO
Enterprise SCIM 2.0 provisioning and SAML/OIDC SSO are available on enterprise engagement. Customer sign-in today is available via OAuth (Google, LinkedIn, Facebook) and email magic link.
Access review
Quarterly (per internal audit program):
- List every admin in the Firestore
adminscollection: confirm still employed and still requires admin. - List every vendor-dashboard account: confirm MFA enabled where supported and privileges appropriate.
- Review
auditLogfor anomalous admin actions - Confirm break-glass log entries match authorized events
Findings are retained in the restricted access-review evidence set.
Audit logging
Account, session, app-level MFA, OAuth account-linking, account-deletion, AI feedback, cookie-consent, admin-status, and NextAuth sign-in and sign-out actions write to the Firestore audit log. The audit log is append-only at the Security Rules layer: client SDK writes, updates, and deletes are denied for all users (including administrators), so only server-side admin SDK code can write. Institution-scoped audit-log export and SIEM integration are available on enterprise engagement. Retention target is 2 years, enforced by a scheduled retention runner.