Finducation™

Finducation - EZBudget™

Access Control Policy

Documented access controls for production assets and sensitive data, including role-based access control (RBAC).

Document ID: EZB-ACM-001
Version: 1.0
Effective Date: July 8, 2026
Last Review Date: July 8, 2026
Control Model: Documented policy + RBAC
Owner: Deseo Developers LLC (Engineering/Security)

1. Policy Statement

EZBudget maintains a defined and documented access control policy to limit access to production assets and sensitive data. Access is granted using role-based access control (RBAC) principles and least-privilege assignment.

Documented Access Control Policy Role-Based Access Control (RBAC) Least Privilege

2. Scope

  • Production application environments and deployment platforms
  • Backend APIs, serverless functions, and database/data services
  • Source code repositories and CI/CD systems
  • Administrative consoles for infrastructure and identity providers
  • Consumer account data and financial integration data stores

3. Access Control Principles

  • Least privilege: Users and services receive only permissions required for their role.
  • Need-to-know: Sensitive data access is restricted to authorized operational roles.
  • Separation of duties: Privileged actions are limited and auditable.
  • Default deny: Access is denied unless explicitly granted by policy and role assignment.

4. Role-Based Access Control (RBAC)

Role CategoryTypical PermissionsRestrictions
Engineering (Standard) Code repository read/write, non-production environment access No standing production data access unless explicitly approved
Engineering (Privileged) Production deployment, incident response, controlled data operations Time-bound and purpose-bound privileged access
Operations / Admin Infrastructure configuration, monitoring, service administration Restricted to required admin scopes only
Application User (Consumer) Access to own account resources through authenticated sessions No direct backend/admin privileges

5. Production and Sensitive Data Controls

5.1 Application and API Layer

  • Authenticated API access uses bearer tokens validated server-side.
  • Privileged server operations use service-role credentials restricted to backend functions.
  • Client applications do not hold server secrets or privileged credentials.

5.2 Data Layer

  • Row-level security and role-scoped data access policies are enforced for application tables.
  • Direct client access to privileged data operations is restricted.
  • Sensitive operations are routed through controlled backend endpoints.

5.3 Platform and Repository Access

  • Production deployment and infrastructure consoles require authorized accounts.
  • Repository permissions are role-assigned and reviewed as part of governance processes.

6. Access Lifecycle Management

  • Access provisioning requires role assignment approval by policy owner or delegate.
  • Role changes and offboarding trigger access modification or revocation.
  • Privileged access is reviewed during internal security assessments.

7. Due Diligence Mapping

Questionnaire ControlPolicy Position
A defined and documented access control policy is in place Yes - This document (EZB-ACM-001)
Role-based access control (RBAC) Yes - RBAC model applied across engineering, operations, and consumer access boundaries

8. Approval

This policy is approved for external partner due diligence responses, including Plaid security/governance questionnaires.

Approved By: Deseo Developers LLC - Authorized Representative

Date: July 8, 2026

Contact: contact@deseodevelopers.com