QR Planet's Access Control Policy

Information Security Policy for our Systems & SaaS Solution

book reader icon
3 Minutes
facebook logo gray
linkedin logo gray
mail logo gray

Purpose

This policy establishes protocols for securing access to the systems provided by QR Planet. We are offering a QR Code Generation and Management Software as a Service (SaaS) solution to customers.

The policy aims to protect sensitive data, maintain full compliance, and safeguard our IT and other infrastructure against unauthorized access.

Scope

This policy applies to

  • Employees and contractors
  • Partners
  • Customers

with access to the company's SaaS platform, both on-premises and remotely.

Policy Statement

Access to QR Planet's SaaS platform is a privilege granted to registered users only, apart from our free QR Code Generator. We employ a variety of security measures to ensure systems are only accessed securely, thus maintaining integrity, confidentiality, and full availability of data.

Access to QR Planet 's systems beyond the platform is only granted to company employees and contractors in accordance with the principle of least privilege (PoLP).

Access Control Management

1. Customer Account Management

  • Customers can create and manage their own accounts on the SaaS platform.
  • Account creation is designed to be simple, with guidance provided on securing accounts effectively.
  • Customers are encouraged to regularly review and update their account information and login credentials for security reasons.

2. Customer Password Guidance

Password Complexity

  • Customers are encouraged to create strong unique passwords for their accounts.
  • Passwords should be at least 12 characters long and include a mix of uppercase and lowercase letters, numerical characters, and symbols.
  • Easily guessed passwords such as “password”, “123456,” or personal information like birthdays should be avoided.

Password Expiration and Renewal

  • Reuse of the last 3 passwords is prohibited.
  • Passwords should be updated regularly and changed immediately if there is any suspicion that they have been compromised.

Password Protection

  • Passwords must not be shared with others or stored in an easily accessible location.
  • Reputable password manager solutions are recommended to generate and store strong passwords safely.
  • Multi-Factor Authentication (2FA) should be enabled in the account area for an added layer of security.

Password Reset and Account Lockout

  • System Access will be locked for 1 minute after five failed login attempts to avoid brute force attacks.
  • User Identity is verified before a password reset is allowed.

Password Requirements

The following password requirements apply to all accounts offered on QR Planet's SaaS solution:

The password must be at least eight characters long and contain

  • at least one lowercase letter,
  • at least one uppercase letter,
  • at least one numerical character.

3. Single Sign-On (SSO) and Multi-Factor Authentication (2FA):

  • QR Planet offers its customers the option to configure Single Sign-On (SSO) to streamline their login process, if supported on their side.
  • Customers can enable Multi-Factor Authentication (2FA) and are strongly encouraged to do so for all user accounts to enhance security.
  • Instructions and support is provided to customers in the online resource repository (Knowledge Database) to assist with the configuration of SSO and 2FA.

4. Internal User Access Authorization

  • Employees and contractors who are classified as Internal Users are granted access based on their role within the organization.
  • Access right approvals follow the Principle of least Privilege, ensuring users have the minimum level of access required to perform their job functions.

5. Internal User Authentication

  • All Internal Users must use multi-factor authentication (MFA) for system access to verify their identity.
  • Our Password Policy for employees includes a minimum of 12 characters with complexity requirements and must be changed every 90 days.

6. Remote Access for Internal Users

Employees’ remote sessions to internal systems require a secure VPN connection (Wireguard) with MFA.

7. Access Review and Termination

  • Audits and reviews of user access rights are conducted on an annual basis.
  • Access right changes due to role changes, employment or contract termination or other factors are promptly updated.
  • Access rights for individuals who leave the organization or change roles are terminated or adjusted immediately.

8. Third-Party Access

  • Third-party service providers are given access only as necessary for execution of contracted services.
  • For all such providers, an NDA is signed before third-party access is granted.
  • Access and activity of third-party users are monitored continuously.

Monitoring and Reporting

  • Continuous monitoring of system access logs is performed for signs of unauthorized access, with real-time alerts for critical incidents.
  • Customers are encouraged to report any suspicious activity or security incidents via the platform's support channels.

This policy is reviewed annually or when significant updates are made.

Version 1.2 (Dec 2024)

Last update 4 days ago