BlueprintBLUEPRINT

Access Controls Policy

Last updated: April 1, 2026

Blueprint Finance LLC, doing business as Blueprint AI ("Blueprint"), maintains this Access Controls Policy to define how access to production systems, sensitive data, and internal infrastructure is granted, managed, and revoked. This policy applies to all employees, contractors, and third-party service providers with access to Blueprint systems.

1. Principle of Least Privilege

Access to Blueprint systems and data is granted on a need-to-know, least-privilege basis. No individual or system is granted more access than is required to perform their specific role or function.

  • Access rights are determined by job function and reviewed upon any role change
  • Default permissions are set to deny — access must be explicitly granted
  • Privileged access to production systems is limited to authorized personnel only

2. Role-Based Access Control (RBAC)

Blueprint implements role-based access control across all systems. Access is tied to defined roles rather than individuals, ensuring consistent and auditable permissions:

  • Database (Supabase) — Row-level security (RLS) is enforced at the database layer, ensuring users can only access their own data. Service role keys are restricted to server-side API routes only and never exposed to the client
  • Application — All API routes that access user data require authentication. Server-side session validation is enforced on every request
  • Infrastructure (Vercel) — Deployment and environment variable access is restricted to authorized team members
  • Admin dashboard — Internal admin tools are locked to specific authorized user IDs and require active session authentication

3. Authentication Requirements

All access to Blueprint systems requires authentication. The following standards apply:

  • Unique credentials are required for every user — shared accounts are prohibited
  • Passwords must meet minimum complexity requirements enforced at the application layer
  • Multi-factor authentication (MFA) is required for all administrative access to critical systems including Supabase, Vercel, and third-party service dashboards
  • Session tokens are rotated and expire after a defined period of inactivity
  • Authentication failures are rate-limited to prevent brute-force attacks

4. Multi-Factor Authentication (MFA)

MFA is enforced for access to all critical systems that store or process consumer financial data:

  • Supabase — MFA enabled on all administrative accounts
  • Vercel — MFA enabled on all team accounts with access to production environment variables
  • Stripe — MFA enabled on all accounts with access to payment data
  • Plaid — MFA enabled on the Plaid developer dashboard
  • GitHub — MFA enabled on all accounts with access to the production codebase

5. Access Provisioning and Deprovisioning

Access to Blueprint systems is formally provisioned and revoked according to the following procedures:

  • New access is granted only upon explicit authorization by Blueprint leadership
  • Access is provisioned with the minimum permissions necessary for the role
  • Upon termination, role change, or end of contract, access is revoked immediately — within 24 hours
  • Third-party integrations are reviewed and access revoked when no longer needed

6. Production Access Controls

Access to production systems and sensitive consumer data is strictly controlled:

  • Production environment variables and secrets are stored in Vercel's encrypted secrets manager — never in source code or version control
  • Database service role keys are only accessible server-side and are never exposed to the client or browser
  • Direct database access is restricted to authorized personnel via authenticated, MFA-protected sessions
  • API keys for third-party services (Plaid, Stripe, Anthropic) are rotated periodically and upon any suspected compromise

7. Consumer Data Access

Access to consumer financial data is tightly controlled at every layer of the application:

  • Row-level security (RLS) enforced in Supabase prevents any user from accessing another user's data at the database level
  • All API routes validate the authenticated user's identity before returning data — insecure direct object reference (IDOR) protections are in place on all routes
  • Plaid access tokens are stored encrypted and associated only with the authenticated user who linked them — they cannot be accessed by other users
  • An internal admin support dashboard allows limited data lookup only with explicit user consent (users must toggle on "Support Access" in their settings)

8. Access Reviews

Blueprint conducts periodic access reviews to ensure access rights remain appropriate:

  • Access rights for all systems are reviewed at least quarterly
  • Any unnecessary or excessive access is revoked promptly
  • Third-party integrations and API access are reviewed for continued necessity

9. Physical Access

Blueprint operates as a cloud-native company with no on-premises infrastructure. All production systems are hosted on cloud providers (Vercel, Supabase) with their own physical security controls, certifications, and compliance programs.

10. Policy Violations

Violations of this Access Controls Policy may result in immediate revocation of access and further disciplinary or legal action depending on the severity of the violation. Any suspected unauthorized access must be reported immediately to blueprintappai@outlook.com.

11. Policy Review

This policy is reviewed at least annually and updated as needed to reflect changes in our systems, personnel, or regulatory requirements.

For questions about this policy, contact us at blueprintappai@outlook.com.

© 2026 Blueprint Finance LLC. All rights reserved.

Affiliate PartnersAI DisclaimerFulfillment PolicyPrivacy PolicySocial Media DisclaimerSubscription TermsTerms & ConditionsTestimonials PolicyInformation SecurityAccess ControlsData RetentionVulnerability Management