Request invite

Access Control Policy

Last Updated: August 18, 2025

1. Purpose

This Access Control Policy establishes the procedures for granting, revoking, handling, and documenting access to TheAgencyFounder’s systems, platforms, and data assets, particularly where such access involves information shared under the partnership with Meta.
 The policy ensures that only authorized individuals can access systems and data, and that such access is tracked, monitored, and terminated appropriately.

2. Scope

This policy applies to:

  • All employees, contractors, interns, and third-party partners of TheAgencyFounder.
  • All systems, applications, and databases that process, store, or transmit Meta-related data or any client data shared as part of the partnership.
  • All forms of access — physical, logical, and remote.

3. Roles & Responsibilities

  • Data Protection Officer (DPO) – Oversees policy compliance and approves access requests for sensitive data.
  • System Administrator – Implements access provisioning and de-provisioning, maintains access logs, and performs periodic reviews.
  • Managers/Department Heads – Approve access requests for their team members based on job requirements.
  • Employees & Contractors – Responsible for safeguarding credentials and complying with this policy.

4. Access Granting Procedures

  1. Request Submission – Access must be requested through the official Access Request Form or Helpdesk ticket system.
  2. Approval Workflow – Requests must be approved by the direct manager and, for sensitive systems, by the DPO.
  3. Principle of Least Privilege – Access is granted only to the level required for the role.
  4. Identity Verification – All new users must verify identity before credentials are issued.
  5. Multi-Factor Authentication (MFA) – Required for all systems containing Meta-related or client-sensitive data.

5. Access Revocation Procedures

  1. Immediate Termination – Access is revoked within 24 hours when:

    • Employment/contract ends.
    • Role change removes the need for access.
    • Security breach or policy violation is detected.
  2. Manager Notification – Managers must inform IT within 2 hours of knowing that an employee’s role or status has changed.
  3. Deactivation & Removal – User accounts are disabled, and credentials (ID cards, tokens, passwords) are collected.

6. Handling & Documentation

  • Access Logs – All system logins, logouts, and access modifications are recorded and retained for at least 12 months.
  • Access Review – Quarterly review of all user accounts and permissions to detect unnecessary or outdated access.
  • Change Records – All access changes (grant/revoke/modify) are documented with:

    • Requestor name
    • Approver name
    • Date & time
    • Reason for change
    • Systems affected

7. Special Considerations for Meta Data

  • Meta-related data will be stored only in secure, access-controlled environments.
  • Access will be limited to personnel with a direct business need.
  • Any temporary access must be time-bound and automatically revoked after the approved duration.

8. Enforcement

Violations of this policy may result in:

  • Disciplinary action up to termination of employment.
  • Termination of contract for third-party partners.
  • Reporting to Meta in accordance with contractual and legal obligations.

9. Review & Updates

This policy will be reviewed annually or upon significant change in operations, legal requirements, or Meta’s partnership terms.

TheAgencyFounder
https://theagencyfounder.comteam@theagencyfounder.com