oklido
Help CenterSign In

Access Control

oklido implements comprehensive access controls to protect your data.

Principles

Our access control follows these principles:

  1. Least Privilege - Users get minimum access needed
  2. Need to Know - Access only to required data
  3. Separation of Duties - Critical functions require multiple people
  4. Defence in Depth - Multiple layers of controls

User Access Levels

Internal Users (Your Team)

RoleDocumentsUsersSettingsBilling
OwnerFullFullFullFull
AdminFullFullFullView
EditorFullViewLimited-
ViewerView/Download---
AuditorViewViewView-

External Users

TypeAccess
BeneficiaryShared documents only
GuestShared documents only, time-limited

Authentication Controls

Password Requirements

  • Minimum 8 characters
  • Mix of upper/lower/numbers
  • Checked against breach databases
  • No password reuse (last 5)

Multi-Factor Authentication

  • Optional but recommended
  • Authenticator app (TOTP)
  • Required for admin functions (configurable)

Session Management

ControlSetting
Session timeout24 hours
Idle timeout1 hour
Concurrent sessionsAllowed
Secure cookiesRequired

System Access Controls

Infrastructure Access

SystemAccess MethodWho
Production serversNoneNo direct access
DatabaseIAM + VPNEngineering only
AWS ConsoleIAM + MFAAuthorised staff only
LogsAWS ConsoleOperations + Security

Code Access

RepositoryAccess
Application codeEngineering team
Infrastructure codeInfrastructure team
Security toolsSecurity team

Audit Logging

All access is logged:

What We Log

EventLogged Data
LoginUser, time, IP, device
Failed loginUser, time, IP, reason
Document accessUser, document, action, time
Settings changesUser, what changed, time
Admin actionsUser, action, target, time

Log Retention

Log TypeRetention
Security events7 years
Access logs90 days
Error logs30 days

Log Protection

  • Immutable (append-only)
  • Encrypted at rest
  • Separate access controls
  • Regular integrity checks

Access Reviews

Regular Reviews

Review TypeFrequency
User access rightsQuarterly
External user accessMonthly
Admin accessMonthly
Service accountsQuarterly

Triggered Reviews

Access is reviewed when:

  • Employee leaves/changes role
  • Security incident occurs
  • Compliance audit requested
  • Customer request

Privileged Access

Admin Access Controls

Administrators have additional controls:

  • MFA required
  • Session recording for critical actions
  • Approval required for sensitive operations
  • Regular certification

Break-Glass Procedures

Emergency access:

  • Documented procedures
  • Multiple approvals required
  • Full audit trail
  • Time-limited
  • Post-incident review

Third-Party Access

Subprocessor Access

ProviderAccessPurpose
AWSInfrastructureHosting
Auth0Auth dataAuthentication
StripeBilling dataPayments

Vendor Management

  • Security assessment before onboarding
  • Data Processing Agreements
  • Regular security reviews
  • Minimal access principle

Your Access Controls

Managing Team Access

  1. Go to SettingsTeam
  2. Add/remove users
  3. Assign appropriate roles
  4. Review access regularly

Managing External Access

  1. Go to SettingsExternal Access
  2. Review beneficiaries and guests
  3. Revoke access when no longer needed
  4. Set appropriate expiration dates

Access Logs

View access to your documents:

  1. Open any document
  2. Click "Audit Log"
  3. See who accessed and when

Questions

For access control questions: