Access Controls Policy

This Access Controls Policy describes how Softserve Software LLC (“we,” “our,” or “us”) governs logical and administrative access to the car storage facility management software and related services (the “Service”), the systems that run the Service, and the data stored within them.

This policy applies to all personnel, contractors, and third-party providers who access the Service, its production infrastructure, source code, or customer data, and to all customer users who access the Service through their accounts.

This policy supports and should be read together with our Information Security Policy, Privacy Policy, and Terms of Service.

• Least privilege: users, systems, and service accounts are granted only the minimum permissions required to perform their role.
• Need to know: access to customer data and production systems is limited to personnel with a documented business need.
• Segregation of duties: where practical, sensitive operations (for example, payments, user role changes, and production deployments) are separated from routine development activities.
• Tenant isolation: the Service is multi-tenant and every customer-facing record is scoped to a team identifier, so one customer cannot access another customer's data through the application.
• Auditability: access to production systems and changes to user privileges are logged.
• Default deny: access that is not explicitly granted is denied.

• The Service itself does not require end-user passwords; it uses email-based magic links for authentication.
• Where the underlying infrastructure providers issue passwords to administrators, those passwords must be unique, generated by a password manager, and protected by MFA.
• API keys, webhook secrets, and database credentials are treated as sensitive secrets and are rotated promptly if they are suspected to be compromised or when personnel with access depart.
• Credentials are never transmitted over insecure channels (for example, unencrypted email or chat).

• Administrative access to each production provider is reviewed at least annually, and after any material personnel change, to confirm that only current authorized personnel retain access.
• Customer team administrators are encouraged to review their own user list on a regular cadence and remove accounts that are no longer required.
• Unused or dormant administrative accounts are disabled.

• When a person with administrative access leaves or changes roles, their access to all production systems, repositories, and secret stores is revoked promptly.
• Any shared infrastructure secrets that the departing person could have known are rotated.
• Customer-side offboarding of end users is performed by the customer's own team administrator through the Service.

• Authentication events (for example, sign-in attempts and session creation) are logged by the Service.
• Application and platform logs are retained by our hosting and database providers in accordance with their standard policies and are used to detect and investigate suspicious activity.
• Application errors are captured and reviewed to identify anomalies that may indicate misuse or compromise.

Any exception to this policy must be approved in writing by Softserve Software LLC management, documented with a justification, and reviewed periodically. Violations may result in revocation of access, termination of the relationship, and legal action where appropriate.

Questions about this Access Controls Policy, or requests related to access to your data, can be directed to: