Ambassify enforces strict access controls to protect your data at every level. We apply the principle of least privilege, require multi-factor authentication, and conduct regular access reviews to keep permissions tight and up to date.

Least Privilege

Every user and system receives only the access they need to perform their function.

  • Need-to-Know Basis: Access is granted strictly based on business need. No blanket permissions are issued.
  • Minimum Permissions: Every role is assigned the minimum necessary permissions to perform its function.
  • Temporary Access: Time-limited access is capped at a maximum of 90 days and automatically revoked upon expiration.

Multi-Factor Authentication (MFA)

Additional verification steps protect against unauthorized access, even if credentials are compromised.

  • Mandatory MFA: Multi-factor authentication is required for all systems that handle sensitive data.
  • Broad Enforcement: MFA is enforced across all internal tools and infrastructure components.

Role-Based Access Control (RBAC)

Permissions are structured around roles, not individuals, to ensure consistency and accountability.

  • Role-Defined Permissions: Access permissions are assigned based on clearly defined roles within the organization.
  • Separation of Duties: Roles are designed to prevent any single person from having unchecked control over critical processes.
  • Formal Approval Process: All access requests follow a formal approval workflow before permissions are granted.

Access Reviews

Regular audits ensure that access rights remain appropriate over time.

  • Bi-Annual Reviews: Access rights across all systems are reviewed every six months.
  • Prompt Revocation: Access is revoked immediately upon role change, transfer, or departure from the organization.
  • Centralized Management: User accounts are managed centrally to ensure consistent enforcement of access policies.

Authentication Standards

Strong authentication controls reduce the risk of unauthorized access.

  • Password Requirements: Strong password policies are enforced across all accounts, including complexity and length requirements.
  • Account Lockout: Accounts are locked automatically after a defined number of failed login attempts.
  • Session Timeout: Inactive sessions are terminated automatically to prevent unauthorized use of unattended devices.

Remote Access

Secure access is maintained regardless of where team members work.

  • Secure Connectivity: All remote connections to company systems require secure, encrypted channels.
  • Public Network Controls: Additional safeguards are applied when accessing systems from public or untrusted networks.
  • Device Encryption: Full-disk encryption (FileVault or equivalent) is mandatory on all devices used for work.