Access Control Policy — Trust Centre — Compass IoT
Security

Trust Centre

Access Control Policy

How Compass IoT controls who can access what — covering user provisioning, authentication requirements, role-based access control, and access revocation.

Last updated May 2026 · Compass IoT Pty Ltd

Our commitment

The right people have access to the right systems — and nothing more.

Access control is one of the most fundamental security controls we operate. Granting more access than necessary creates unnecessary risk; failing to revoke access promptly creates lingering exposure. This policy sets out how we provision, manage, and remove access across all Compass IoT systems.

This policy applies to all employees, contractors, and vendors with access to any Compass IoT system, platform, or data.

Principles

Access control principles

Least privilege enforced
  • Least privilege — access is granted only to the extent required to perform a defined role or function. Default access is no access.
  • Need to know — access to data is granted only where there is a legitimate business reason to access that data.
  • Separation of duties — no individual has sole control over a complete sensitive process. Critical actions require more than one person.
  • Individual accountability — shared accounts are prohibited. All access is tied to a named individual so that actions can be attributed and audited.

Authentication

Authentication requirements

MFA mandatory

Multi-factor authentication (MFA) is mandatory for all Compass IoT internal systems, cloud infrastructure, and any system that holds or processes customer data. Password-only access is not permitted for any system within scope of this policy.

  • MFA required for all internal systems, cloud console access, and production environment access.
  • Passwords must meet minimum complexity requirements and are managed via a company-approved password manager.
  • Shared passwords and credentials are prohibited. All credentials are individual.
  • Service accounts and API keys are managed separately from human user accounts and are subject to the same access controls.
  • All authentication events to sensitive systems are logged and retained for audit purposes.
  • Access to Compass systems by end users use either a secure Magic Link or Single Sign On (SSO) system.

Role-based access control

RBAC and access tiers

Access to Compass IoT systems is structured using role-based access control (RBAC). Roles are defined by job function and mapped to the minimum set of permissions required to perform that function. Individuals are assigned roles, not individual permissions.

Access tiers apply across the platform and infrastructure. Higher tiers require additional justification and approval, and are subject to more frequent review.

  • Roles are defined and documented for each system in scope.
  • Role assignments are reviewed on a regular basis by the relevant system owner.
  • Elevated or privileged access requires explicit approval from engineering leadership.
  • Privileged access is time-limited where technically feasible — just-in-time access is preferred over standing privileged accounts.
  • All privileged access activity is logged and subject to periodic review.

Provisioning and revocation

Granting and removing access

Access is granted through a formal process and removed promptly when no longer required. No access is granted informally or without documentation.

  • New access requests require a documented business justification and approval from the relevant system owner or team lead.
  • Access is provisioned only after identity verification and, where applicable, after background screening is complete.
  • Access for contractors and vendors is time-limited and tied to the duration of the engagement.
  • On employment or engagement termination, all access is revoked promptly on the last day of employment. Access to sensitive systems is revoked on the same day notification is received.
  • Access changes due to role change are reviewed at the point of transition — access no longer required is revoked, not accumulated.

Customer data access

Access to customer data by Compass IoT personnel is restricted to the minimum required to deliver support or resolve an incident. Customer data is never accessed for any other purpose. All such access is logged.

Policy review

Ownership and review

This policy is owned by Compass IoT's engineering leadership and reviewed annually, or following any security incident where access control was a contributing factor.

Questions

Get in touch

Questions about access controls or requesting policy documentation.