Access Control Policy

Chesed Projects · CC Charges Tracker · Effective: June 25, 2026 · Review: annually

This policy governs who may access the CC Charges Tracker application and its underlying systems, and how that access is granted, controlled, and removed.

1. Centralized Identity & Access Management

All access to consumer financial data is managed through a single, centralized identity and access management system: the application's own account directory. Identity creation, authentication, role assignment, multi-factor enrollment, and de-provisioning are all performed through this one system — there is no separate or unmanaged path to the data.

2. Individual Accounts

Each user has a unique, named account. Shared or anonymous accounts are not permitted for accessing consumer financial data.

3. Multi-Factor Authentication (MFA)

• Application: all logins require MFA (a password plus a time-based one-time code).
• Internal/hosting systems: administrative access to the systems that store or process consumer data is protected by multi-factor authentication on the hosting provider account and by key-based SSH authentication; password-only access is not used.

4. Least Privilege & Role-Based Access

Users are granted the minimum access required for their role. Roles separate read-only users from administrators who can link accounts and manage settings.

5. Provisioning & Automated De-Provisioning

• Access is granted only after authorization by the application owner.
• When a person is terminated or transferred, disabling their account (or changing their role) revokes or modifies their access automatically and immediately — the application re-validates every request against the live account, so all active sessions are invalidated and role changes take effect on the next request without manual session cleanup.
• A scheduled daily job automatically de-provisions accounts that have been inactive beyond 90 days.

6. Access Reviews & Audits

The application owner reviews the list of active users, their roles, and access/authentication logs periodically (at least every six months) and removes access that is no longer needed.

7. Consent

Consent to access financial data is obtained from the account holder through Plaid Link at the time of connection, and a record of each consent (institution, scope, time, and granting user) is retained for audit purposes.

8. Credentials & Secrets

Passwords are stored only as salted hashes. API keys and secrets are stored in access-restricted files on the server, encrypted where applicable, and are never committed to source control or exposed to users.