User Account Creation: Access to Speak Ai’s internal systems and data will only be granted to individuals with a legitimate business need. To prevent brute force attacks, account creation requests are limited to 5 requests within 1 minute from the same IP address.

Authentication: All users must authenticate using strong authentication methods, including complex passwords and, where applicable, two-factor authentication (2FA). Speak Ai supports 2FA through Google Workspace and is currently adding Microsoft Single Sign-On.

Authorization: Access rights will be assigned based on the user's role and responsibilities, ensuring adherence to the principle of least privilege.

Account Lockout: User accounts will be locked out for a period of 30 minutes after 6 failed login attempts to prevent brute force attacks. Additionally, login requests are limited to 3 requests within 1 minute from the same IP address to further enhance security.

Regular Reviews: Access rights will be reviewed regularly to ensure that they remain appropriate.

Audit Logs: Speak Ai will maintain audit logs of access to critical systems and data. These logs will be reviewed periodically to detect any unauthorized access attempts or anomalies.

Termination of Access: Access rights will be revoked immediately upon termination of employment or contract. Managers are responsible for notifying the IT Security Team to deactivate accounts and remove access.

Role Changes: Access rights will be adjusted appropriately if a user changes roles within the organization. This ensures that users retain access only to the resources necessary for their new role.

Definition of Privileged Access: Privileged access refers to accounts with elevated permissions that allow for administrative control over systems and data.

Controls for Privileged Accounts: Privileged accounts must be strictly controlled and monitored. Users with privileged access must use separate accounts for administrative tasks and regular activities.

Monitoring and Review: Privileged account usage will be closely monitored, and access will be reviewed more frequently than standard user accounts.

Multi-Factor Authentication: Remote access requires multi-factor authentication to ensure an additional layer of security.

Vendor and Partner Access: Third-party vendors and partners who require access to Speak Ai's systems must comply with this Access Management Policy. Access will be granted based on contractual agreements and will be limited to the minimum necessary.

Monitoring and Audits: Third-party access will be monitored and audited to ensure compliance with Speak Ai's security policies and procedures.

IT Team: Responsible for implementing and maintaining access controls, conducting regular access reviews, and ensuring compliance with this policy.

Chief Technology Officer (CTO): Responsible for approving access requests, conducting periodic reviews of user access, and notifying the IT Security Team of any role changes or terminations.

All Users: Responsible for adhering to access management policies, safeguarding their authentication credentials, and reporting any suspicious activities or security incidents.