Skip to content
Clicki Referrals Trust Center
Clicki Referrals Trust Center

Clicki Access Control Policy

Purpose

This Access Control Policy defines how Clicki Referrals restricts, approves, reviews, and monitors access to systems, applications, infrastructure, and data. Its purpose is to reduce the risk of unauthorized access, protect confidential information and personal data, and support Clicki’s security, privacy, and compliance obligations.

Scope

This policy applies to all Clicki personnel, including employees, contractors, service providers, and any other individual or entity granted access to Clicki-managed systems or customer data. It covers production and non-production environments, cloud infrastructure, internal applications, third-party systems, databases, logs, support tools, and devices used to access Clicki resources.

Policy Statement

Access to Clicki systems and data must be granted according to business need, least privilege, and role-based access principles. Access is approved, provisioned, reviewed, and removed through a controlled process. Administrative and production access is limited to authorized personnel only and is monitored and periodically reviewed.

Principles

Least Privilege

Access is limited to the minimum level necessary for an individual to perform their assigned responsibilities.

Need to Know

Access to customer data, personal information, financial data, and sensitive business information is granted only when required for a legitimate business purpose.

Role-Based Access

Where practical, access is assigned through roles or groups rather than individual ad hoc permissions.

Separation of Duties

Critical activities should be separated where feasible so that no single individual has unnecessary end-to-end control over highly sensitive operations.

Default Deny

Access is denied by default unless explicitly approved and provisioned.

Access Classification

Clicki classifies access into the following categories:

Standard User Access

Access to common internal business systems such as email, communication tools, project systems, CRM tools, and approved documentation platforms.

Privileged Access

Access that allows administrative, configuration, deployment, support override, direct database, infrastructure, identity, billing, or security management actions.

Production Access

Access to live customer-facing systems, production data stores, production logs, cloud consoles, secrets, and operational tooling.

Sensitive Data Access

Access to personal data, referral data, payout-related data, financial records, support artifacts, audit trails, and security event data.

Access Provisioning

Access requests must be based on job responsibilities and require approval from the appropriate system owner, team lead, or designated approver.

At a minimum:

  • New access must be approved before provisioning.

  • Privileged or production access must require elevated approval.

  • Access must be assigned to an individual account and may not be shared.

  • Shared credentials are prohibited unless technically unavoidable and formally controlled, documented, rotated, and limited.

  • All users must authenticate using unique credentials.

  • Multi-factor authentication must be enabled for systems that support it, especially email, identity providers, cloud platforms, code repositories, and administrative tools.

Authentication Requirements

Clicki requires the following authentication controls where supported:

  • Unique user IDs for each individual

  • Strong passwords in accordance with the identity provider or managed system requirements

  • Multi-factor authentication for privileged accounts and production-access systems

  • Centralized identity management where feasible

  • Prompt revocation or reset of credentials when compromise is suspected

Service accounts must be limited, documented, and used only when necessary for system-to-system communication. Secrets associated with service accounts must be stored in approved secret-management systems and not hard-coded into source code or documentation.

Privileged and Production Access

Privileged access is restricted to authorized personnel whose job duties require it. Production access must be limited to a small number of approved individuals.

Additional requirements for privileged or production access include:

  • Approval from an authorized manager or system owner

  • MFA enabled where supported

  • Use of named accounts

  • Logging and monitoring of administrative actions where feasible

  • Periodic review of membership and permissions

  • Removal when no longer needed

Direct access to production databases should be avoided unless necessary for operational support, incident response, or approved administrative work. Where feasible, access should occur through controlled tools, audited interfaces, or temporary elevation.

Customer Data and PII Access

Access to customer data and personally identifiable information is restricted to authorized personnel with a documented business need. Personnel accessing such data must do so only for legitimate support, operational, security, legal, or service-delivery purposes.

Clicki will limit exposure of sensitive data in user interfaces, exports, tickets, and logs where possible through masking, redaction, scoped views, or workflow controls. Personnel must not copy, export, or transmit customer data outside approved systems except where explicitly authorized for a valid business purpose.

Logging and Monitoring Access

Access to logging and observability systems must be restricted because logs may contain sensitive operational or customer information. Clicki will make reasonable efforts to reduce or redact sensitive information in logs.

Administrative actions, authentication events, and significant permission changes should be logged where supported by the platform or application. Logs must be retained according to Clicki retention requirements and reviewed when necessary for security monitoring, incident response, or compliance activities.

Access Reviews

Clicki performs periodic access reviews to confirm that access remains appropriate.

At a minimum:

  • User access to critical systems must be reviewed periodically

  • Privileged and production access must be reviewed more closely and at regular intervals

  • Inappropriate, excessive, stale, or unapproved access must be removed promptly

  • Review evidence should be retained in accordance with Clicki recordkeeping practices

Personnel Changes and Termination

Access must be updated or removed promptly when personnel change roles, no longer require access, or separate from Clicki.

This includes:

  • Removing access upon termination or contract end

  • Adjusting permissions upon role change

  • Revoking tokens, keys, sessions, and administrative memberships as needed

  • Recovering or disabling access to company-managed devices and accounts where applicable

Third-Party Access

Third-party access, including contractors, vendors, and service providers, must be approved, limited to the minimum necessary scope, and time-bounded where feasible. Third parties with access to sensitive systems or data must be subject to appropriate contractual and security requirements.

Emergency Access

Emergency access may be granted when necessary to restore service, investigate incidents, or address urgent operational risks. Such access should be:

  • Approved by an authorized person as soon as practical

  • Limited in scope and duration

  • Logged or otherwise documented

  • Reviewed after the event

Prohibited Activities

The following are prohibited unless specifically approved and controlled:

  • Sharing individual credentials

  • Using another person’s account

  • Granting access outside the formal approval process

  • Retaining access that is no longer needed

  • Downloading, copying, or exposing customer data without a valid business reason

  • Storing passwords, API keys, or secrets in plaintext in source code, tickets, chat, or documentation

Enforcement

Violations of this policy may result in removal of access, disciplinary action, termination of engagement, or other appropriate action consistent with Clicki policies and applicable agreements.

Exceptions

Exceptions to this policy must be documented, justified by business or technical need, approved by authorized leadership, and reviewed periodically.

Ownership and Review

This policy is owned by Clicki management and/or the designated security owner. It must be reviewed at least annually and updated when material changes occur to Clicki systems, personnel practices, or security requirements.

Powered by Plain