Legal & Compliance
User Access, Roles, and Privilege Management
Effective: May 26, 2026 · Next review: May 26, 2027 · Pythias Technologies, LLC
1
This policy defines how access to Pythias systems, data, and infrastructure is granted, maintained, and revoked. The goal is to ensure that every person and service has the minimum access necessary for their role, and that access is revoked promptly when no longer needed.
2
Least privilege — every account is granted only the access required for its specific function. No blanket admin access without documented justification.
Need to know — access to Confidential or Restricted data is limited to individuals with a specific, documented business need.
Separation of duties — where feasible, critical operations (e.g., code deployment, database changes, billing) require action by more than one person.
Default deny — access is not granted by default. All access rights must be explicitly provisioned.
3
Pythias platforms define the following roles:
Full access to all features, data, and configuration. Reserved for company owners and designated senior technical staff. Requires MFA.
Access to order management, production queues, shipping, and operational data. Cannot modify system configuration, access billing, or view admin-only analytics.
Read-only access to assigned data sets. Cannot modify records, export data in bulk, or access configuration.
Machine-to-machine accounts used by automated processes and integrations. Scoped to the minimum API permissions required. No UI access.
4
Provisioning
New accounts are created only upon written or documented request from a manager or company owner.
Accounts are provisioned with the minimum role required for the stated job function.
Temporary contractors receive time-limited accounts that expire at the end of the engagement.
Modification
Role changes require documented approval. Privilege elevation (e.g., from Production to Admin) requires company owner approval.
Deprovisioning
Accounts must be disabled within one business day of an employee or contractor departure.
Any credentials the departing individual had access to (shared API keys, deploy keys) must be rotated within five business days.
Deprovisioning is logged and confirmed by the company owner.
5
All accounts require a unique password meeting the Security Baseline Policy minimum standards.
MFA is mandatory for Admin accounts accessing cloud infrastructure (MongoDB Atlas, hosting control panels, DNS).
Passwords must not be shared. Each person has their own named account — shared/generic accounts are not permitted for human users.
Service accounts use API key or token-based authentication, not username/password.
6
All user accounts and their assigned roles are reviewed quarterly by the company owner. During each review:
Accounts with no activity in the previous 90 days are flagged for deactivation.
Admin-level accounts are verified as still required and still appropriate.
Service account permissions are verified against documented integration requirements.
7
Clients access their own data through scoped API tokens or platform accounts. Third-party integrations (marketplace APIs, shipping carriers) are granted API access scoped to the minimum permissions required by the integration. All such tokens are documented, auditable, and revocable.
8
This policy is reviewed annually (next review: May 26, 2027) and updated whenever organizational structure, platform roles, or access infrastructure changes.
© 2026 Pythias Technologies, LLC · All rights reserved
