DATA ACCESS MANAGEMENT POLICY

Last updated February 16, 2025  

AppsGem LLC (“Company,” “we,” “us” or “our”) is committed to ensuring that access to all data—whether customer, internal or system—is granted, monitored and revoked in a secure, auditable manner. This Data Access Management Policy describes who may access what data, under which conditions, and how those privileges are maintained.

TABLE OF CONTENTS
1. PURPOSE2. SCOPE3. DEFINITIONS4. ROLES & RESPONSIBILITIES5. DATA CLASSIFICATION6. ACCESS REQUEST & PROVISIONING7. ACCESS REVIEW & RECERTIFICATION8. ACCESS REVOCATION9. MONITORING & AUDITING10. EXCEPTIONS11. POLICY MAINTENANCE12. CONTACT INFORMATION

1. PURPOSE

To establish consistent controls for granting, reviewing, and revoking user and system access to all data repositories in order to protect confidentiality, integrity and availability.

2. SCOPE

Applies to all employees, contractors, vendors and automated services that access Company data stores (databases, file systems, analytics platforms, backups, logs, etc.) in AWS, DigitalOcean or other environments.

3. DEFINITIONS

  • Least Privilege: Users/services receive only the minimal privileges required.
  • RBAC: Role‐Based Access Control. Permissions grouped by role.
  • Data Owner: Business or technical lead responsible for classification and approval.
  • Requestor: Individual or system initiating an access request.

4. ROLES & RESPONSIBILITIES

  • Data Owners define classification levels and approve access.
  • IAM Administrators implement requests in our custom auth system.
  • Managers recertify their team’s access quarterly.
  • Security Team monitors logs and enforces policy.

5. DATA CLASSIFICATION

All data is classified as Public, Internal, Confidential or Restricted in accordance with our Privacy Policy. Classification determines approval workflows and technical controls.

6. ACCESS REQUEST & PROVISIONING

  • Request: Requestors submit access via our ticketing system, specifying the data asset and desired level.
  • Approval: Data Owner reviews and approves/rejects within 2 business days.
  • Implementation: IAM Administrator configures RBAC or attribute‐based entitlements in our auth service, issues scoped JWT or service credentials.

7. ACCESS REVIEW & RECERTIFICATION

  • Quarterly Reviews: Managers receive recertification tasks—approve, modify or revoke each direct report’s access.
  • Annual Audit: Security Team conducts a full audit of privileged accounts and system/service credentials.

8. ACCESS REVOCATION

  • Automated: Terminated employees and expired vendor contracts trigger immediate de‐provisioning via HR and procurement integrations.
  • Manual: Data Owners may request emergency revocation through the ticketing system.

9. MONITORING & AUDITING

  • Logging: All authentication, authorization decisions and privilege escalations are logged to ELK + Splunk SIEM.
  • Alerts: Anomalous access patterns (impossible travel, off‐hour use) generate real‐time alerts.
  • Retention: Access logs retained for a minimum of one year.

10. EXCEPTIONS

Any exceptions must be documented, approved by the CISO, and tracked in our GRC platform. Temporary exceptions automatically expire after 30 days.

11. POLICY MAINTENANCE

This policy is reviewed annually (or immediately after any major incident or regulatory change) by the Information Security Committee. Changes are version‐controlled in our docs-as-code repo and published to our site.

If you have questions or comments about this policy, you may email us at contact@appsgem.com or by post to:

12. CONTACT INFORMATION

AppsGem LLC

18117 Biscayne Blvd Suite 201Miami, FL 33160

United States