KILLSUB ACCESS CONTROLS POLICY Version 1.0 Effective Date: October 16, 2025 DOCUMENT INFORMATION Policy Name: Access Controls Policy Version: 1.0 Effective Date: October 16, 2025 Next Review: October 16, 2026 Approved By: Founder/CEO Classification: Internal Use 1. SCOPE AND PURPOSE Scope This policy applies to all KillSub systems, applications, databases, and data repositories, including: • Production and staging environments • User data and financial information • Administrative systems and tools • Third-party integrations (Plaid, Stripe, Supabase) • Development and testing environments Purpose The objectives of this access control policy are to: • Protect sensitive user data and financial information • Ensure compliance with financial regulations (PCI DSS, GDPR, CCPA) • Prevent unauthorized access to systems and data • Maintain audit trails for security and compliance • Support business continuity and operational security 2. ACCESS CONTROL PRINCIPLES Role-Based Access Control (RBAC) Access to KillSub systems is granted based on predefined roles that align with job functions and responsibilities. Each role has specific permissions that are: • Clearly defined and documented • Regularly reviewed and updated • Implemented through technical controls • Monitored through audit logs Principle of Least Privilege Users are granted the minimum level of access necessary to perform their job functions. This principle ensures: • Reduced risk of unauthorized data access • Limited impact of compromised accounts • Simplified access management • Enhanced security posture Need-to-Know Basis Access to sensitive information is granted only when there is a legitimate business need. This includes: • Financial data access for support purposes only • User data access limited to specific use cases • Administrative access restricted to authorized personnel • Regular justification of continued access 3. ROLE DEFINITIONS Founder/Admin Access Level: Full System Access MFA Required: Yes Permissions: • Full database access • User account management • System configuration • Security settings • Financial data access Restrictions: • All actions logged • Requires justification for sensitive operations • Quarterly access review Developer Access Level: Code and Staging Access MFA Required: Yes Permissions: • Staging environment access • Code repository access • Development tools • Testing data access Restrictions: • No production data access • No financial data access • All changes require approval Support Access Level: Limited User Data Access MFA Required: Yes Permissions: • User account information (non-financial) • Support ticket access • Basic system monitoring • User communication tools Restrictions: • No financial data access • No system configuration • All access logged and monitored User Access Level: Self-Service Account Access MFA Required: Optional Permissions: • Own account data • Own financial data • Subscription management • Data export/deletion Restrictions: • Access limited to own data only • No administrative functions • Row-level security enforced 4. ACCESS PROVISIONING PROCESS Access Request Process 1. Request Submission: Access requests must be submitted in writing with business justification 2. Manager Approval: Direct manager must approve the access request 3. Security Review: Security team reviews request for compliance 4. Access Grant: Access is provisioned with appropriate permissions 5. Documentation: All access grants are documented and logged Authorization Requirements • Founder/Admin Access: Requires CEO approval and security clearance • Developer Access: Requires CTO approval and background check • Support Access: Requires manager approval and training completion • Contractor Access: Requires signed agreement and limited duration Documentation Requirements • Access request forms with business justification • Approval documentation from authorized personnel • Access provisioning records with timestamps • User acknowledgment of security policies • Regular access review documentation 5. AUTHENTICATION REQUIREMENTS Multi-Factor Authentication (MFA) • Admin/Developer Access: MFA required for all administrative accounts • Support Access: MFA required for support personnel • User Access: MFA recommended for enhanced security • Implementation: TOTP-based authentication using authenticator apps OAuth Tokens for API Access • Token Management: All API access requires valid OAuth tokens • Token Rotation: Tokens are rotated every 90 days • Scope Limitation: Tokens are scoped to specific permissions • Monitoring: All token usage is logged and monitored TLS Certificates for Service-to-Service • Certificate Management: All service communications use TLS 1.3 • Certificate Validation: Certificates are validated and monitored • Renewal Process: Automated certificate renewal and deployment • Security Standards: Minimum 2048-bit RSA or 256-bit ECDSA keys 6. ACCESS REVIEWS Quarterly Access Reviews • Review Schedule: Access reviews conducted quarterly • Review Scope: All user accounts and permissions • Review Process: Managers verify continued need for access • Documentation: All reviews documented with approval signatures • Remediation: Unnecessary access removed within 30 days Immediate Revocation • Termination: Access revoked immediately upon employee termination • Role Change: Access updated within 24 hours of role change • Security Incident: Access suspended during security investigations • Policy Violation: Access revoked for policy violations Audit Logging Requirements • Access Events: All access attempts logged with timestamps • Permission Changes: All permission modifications logged • Failed Attempts: Failed access attempts monitored and alerted • Retention: Audit logs retained for 7 years • Monitoring: Real-time monitoring of suspicious access patterns 7. TECHNICAL IMPLEMENTATION Supabase Row Level Security (RLS) • Policy Implementation: RLS policies enforce data access at database level • User Isolation: Users can only access their own data • Admin Override: Admin policies allow elevated access when needed • Policy Testing: RLS policies tested and validated regularly Authentication Middleware • Token Validation: All API requests validate authentication tokens • Session Management: Secure session handling with automatic timeout • Rate Limiting: API rate limiting to prevent abuse • Error Handling: Secure error responses without information leakage Session Management • Session Timeout: Sessions expire after 24 hours of inactivity • Secure Cookies: HttpOnly, Secure, SameSite cookie attributes • Token Rotation: Refresh tokens rotated on each use • Concurrent Sessions: Limited to 3 concurrent sessions per user 8. COMPLIANCE AND MONITORING Regulatory Compliance • PCI DSS: Access controls meet PCI DSS requirements • GDPR: Data access controls support GDPR compliance • CCPA: California privacy law compliance maintained • SOX: Financial reporting access controls implemented Security Monitoring • Real-time Monitoring: 24/7 monitoring of access patterns • Anomaly Detection: AI-powered detection of unusual access • Alert System: Immediate alerts for security events • Incident Response: Automated response to security incidents Policy Enforcement • Automated Enforcement: Technical controls enforce policy requirements • Regular Audits: Quarterly audits of access controls • Penetration Testing: Annual penetration testing of access controls • Continuous Improvement: Policy updated based on audit findings CONTACT INFORMATION For questions about this policy or to report access control issues: Email: security@killsub.com Website: https://killsub.com/access-control-policy For urgent security matters, please include "SECURITY INCIDENT" in the subject line. --- This document is confidential and proprietary to KillSub. Distribution is restricted to authorized personnel only.