Access Control
Last updated: July 4, 2026
Access control determines who can see or change what — and it is one of the highest-leverage controls in any security program. This page describes our approach at a high level; for how access events are recorded and reviewed, see Audit Logging.
Principle of Least Privilege
Employees and systems are granted the minimum level of access required to perform their function, nothing more. Access to production infrastructure, customer data, and source code is scoped by role, requested explicitly rather than granted by default, and reviewed periodically to remove access that is no longer needed. Access is revoked immediately upon role change or offboarding.
Multi-Factor Authentication (MFA)
MFA is required for all employee accounts with access to production systems, cloud infrastructure, source control, or customer data. We encourage and support MFA for customer accounts on the CORPYO platform itself as an additional layer of protection beyond a password — see our Encryption page for how passwords are hashed and protected.
Role-Based Access Control (RBAC)
Both our internal tooling and the CORPYO product use role-based access control: permissions are attached to roles (for example, support agent, compliance reviewer, engineer, administrator) rather than granted ad hoc to individuals. This makes access reviewable, auditable, and consistent, and it limits the blast radius if any single account is compromised.
Session Security
User sessions are protected with secure, HttpOnly, same-site cookies; sessions expire after a period of inactivity and can be revoked remotely (for example, from an account's active-sessions view or by our support team in response to a reported compromise). Sensitive account actions — such as changing a password or payment method — may require re-authentication even within an active session.
Audit Logging (Overview)
Access to sensitive systems and data is logged: who accessed what, when, and from where. These logs are used both for security monitoring and for supporting customer and regulatory inquiries. For full detail on log immutability, retention, and the categories of events we record, see Audit Logging.