Access Control Policy

1. Objective

This policy defines how Vera Level Apps Inc manages access to internal systems, infrastructure, and consumer data to ensure the principle of least privilege is applied at all times.

2. Scope

This policy applies to all systems used by Vera Level Apps Inc, including:

• Backend infrastructure (Supabase)
• Financial data integrations (Plaid)
• App distribution platforms (Apple App Store, Google Play)
• Source code repositories
• Third-party development tools

3. Access Control Principles

3.1 Least Privilege

Access to systems and data is granted only to the extent necessary to perform a specific function. No individual or system is granted broader access than required.

3.2 Role-Based Access

• Directors: Full access to all company systems with MFA enforced on all accounts
• Third-party services: Access is restricted via API keys and service role credentials scoped to specific functions only
• No contractors or employees currently have access to production systems

3.3 Multi-Factor Authentication

MFA is mandatory on all internal systems that store or process consumer data, including Supabase, Plaid, Apple Developer, and Google Play Console.

4. Credential Management

• API keys and secrets are never stored in client-side application code
• All secrets are stored server-side in Supabase's encrypted secrets manager
• Credentials are rotated immediately if compromise is suspected
• No credentials are shared via email or messaging platforms

5. Access Provisioning and Revocation

• Access to new systems is reviewed and approved by the directors before provisioning
• Access is revoked immediately upon departure of any personnel or termination of any contractor relationship
• All access rights are reviewed annually

6. Review

This policy is reviewed annually or when significant changes to our team or infrastructure occur.

7. Approval

Board of Directors
Vera Level Apps Inc
May 2026