🔐 Access Control Policy

1. Objective

Establish the guidelines for assigning, managing, and monitoring access to IncrementaCRM systems, modules, and resources, ensuring that each user has only the permissions required for their role.

2. Scope

This policy applies to all personnel, collaborators, and internal systems that have access to services, infrastructure, or information managed by IncrementaCRM.

3. Access Management

a) Defined Roles

The system provides predefined hierarchical access levels:

  • Owner: Full control over the account and global configuration.
  • Admin: Advanced operational management without modifying the Owner.
  • Manager: Intermediate oversight with restricted access to critical configurations.
  • Vendor: Limited access to customer data, sales, and assigned functions.

b) Least Privilege Principle

Permissions assigned to each user are strictly limited to the functions required for their role. No user may hold more privileges than necessary.

c) User Lifecycle (Creation, Modification, Deactivation)

  • Active users are managed through an activation/deactivation flag in the database.
  • Deactivated users cannot access the system.
  • Role or permission changes require Owner or Admin authorization.
  • No automatic or inherited permissions are granted without explicit approval.

d) Session Limits

  • Each user may maintain up to two active sessions simultaneously.
  • Starting a new session on a separate device automatically terminates the oldest session.

4. Authentication

a) Passwords

  • User passwords must comply with a mandatory complexity policy:
    • Minimum of 8 characters.
    • At least one uppercase letter, one lowercase letter, one number, and one special character.
  • The system validates password confirmation during creation or modification.
  • Passwords are never visible or stored in plain text.

b) Multi‑factor Authentication (MFA)

  • MFA is not currently implemented.
  • MFA for administrative access and critical operations is planned for future releases.

5. Monitoring and Auditing

  • All system access is logged (user, IP, timestamp).
  • No formal policy exists yet regarding log retention or automated auditing tools.
  • Periodic alerts or reviews are recommended to detect suspicious activity.

6. Review and Continuous Improvement

This policy will be reviewed at least every 12 months or after any security incident involving unauthorized access, account compromise, or infrastructure changes.

Choose a plan that suits your business.

Free trial for 15 days

Contact by WhatsApp