Backpack Works logo
All policies
Version: 1.0Last updated: January 2026Owner: Security Lead

Access Control Policy

1. Purpose

To ensure access to systems and data is granted on a least-privilege, need-to-know basis and removed when no longer required.

2. Scope

All systems, applications, cloud environments, and client environments accessed by Backpack Works personnel.

3. Principles

  • Least privilege. Users receive the minimum access required for their role.
  • Need to know. Access to client data is limited to the team assigned to that engagement.
  • Role-based access. Permissions are assigned by role wherever possible.

4. Provisioning & deprovisioning

  • Access is requested and approved before being granted, and recorded.
  • Access is removed promptly (target: within one business day) upon role change or departure.

5. Authentication

  • Single sign-on (SSO) is used where supported.
  • Multi-factor authentication (MFA) is required on all critical systems and any system holding client data.

6. Access reviews

Access rights are reviewed at least quarterly for critical systems and corrected where needed.

7. Review

This policy is reviewed at least annually.