Identity and Access Controls
Access Review Cadence
Quarterly access and permission reviews ensure principle of least privilege is maintained across all systems. Reviews encompass:- User access levels across all organizational systems
- Role appropriateness and continued business need
- Shared account credential rotation (quarterly minimum)
- Documentation updates in Google Workspace and compliance platforms
Multi-Factor Authentication
MFA is enforced for all administrative access to critical systems, providing an essential additional layer of security beyond password-based authentication. This requirement extends to:- Cloud infrastructure management consoles
- Administrative panels for SaaS applications
- Database administration tools
- Code repository administrative functions
Least Privilege & Separation of Duties
Avoca implements comprehensive least privilege principles throughout our environment:- Default Read-Only Access: Users receive read-only permissions by default, with write or administrative privileges granted only as required by role
- Single Sign-On (SSO) Integration: SAML/OAuth integrations leveraged wherever possible to centralize identity management and enable rapid access revocation
- Individual User Accounts: Shared or tiered accounts are avoided in favor of individual user accountability; exceptions (service accounts for integrations) are managed in 1Password with role-based access restrictions
- Automated Onboarding/Offboarding: Access provisioned only to systems required for role performance; immediate access revocation upon offboarding (automated via PEO plus SSO integration targeted for Q1 2026)
Authentication & Authorization Architecture
Enterprise Authentication Infrastructure- Protocols: OAuth 2.0 and OpenID Connect (OIDC) supported throughout the platform
- Third-Party Authentication: Authentication services offloaded to professional providers (Supabase, Google OAuth), eliminating risks associated with proprietary authentication implementations
- MFA Availability: Multi-factor authentication available for enhanced account security across user-facing systems
- Enterprise SSO: Integration capabilities available based on specific customer requirements and configuration needs
- Team-Based Permissions: Comprehensive RBAC implementation with database-level row security policies
- Data Isolation: Complete data segregation between teams or customers enforced at the database layer
- Access Management: Role and team assignment structures provide granular control over system and data access
- API Security: All publicly accessible endpoints require authentication (JWT, API key, or OAuth depending on use case)
Insider Threat Protection
Avoca employs comprehensive controls to protect against both malicious and accidental insider threats. Access Controls- Role-based permissions throughout all systems
- Principle of least privilege enforced at onboarding
- Quarterly access reviews ensure continued appropriateness
- Immediate access revocation upon offboarding
- Enterprise-grade cloud infrastructure with built-in security features
- Isolated serverless environments prevent lateral movement
- Security monitoring and alert systems detect anomalous behavior
- Mobile Device Management (MDM) vendor engaged (rollout: Q4 2025)
- Automated enforcement capabilities via PEO plus workspace SSO or OAuth (ETA: Q1 2026)
- Device-level security controls and compliance enforcement