Access Control Policy

This policy describes how Flask Track, as a software platform provider, manages authentication, authorization, and access control to protect customer data and ensure system integrity.

This policy applies to:

• Web application access
• API access
• QR-based execution
• Automated and MCP-based interactions
• Administrative and support access

Access Control Principles

Flask Track access control is based on the following principles:

• Least Privilege – Users are granted only the access required for their role
• Role-Based Access Control (RBAC) – Permissions are derived from assigned roles
• Organization Isolation – Data is strictly isolated between organizations
• Explicit Authorization – Sensitive actions require explicit permission
• Auditability – All access and authorization changes are logged

Authentication

Users must authenticate before accessing Flask Track.

Supported authentication mechanisms include:

• Username and password
• Token-based authentication for API access
• Service account authentication (where enabled)

Authentication credentials are never shared between organizations.

Organization Isolation

Each organization represents a strict security boundary.

• Users may belong to one or more organizations
• Access is always evaluated in the context of a specific organization
• Users cannot access data from organizations they are not members of

Organization isolation is enforced at the application and data layers.

Role-Based Access Control (RBAC)

Access to actions and data is determined by assigned roles.

Typical roles include:

• Owner
• Administrator
• Scientist / Editor
• Technician
• Viewer

Roles control:

• Data visibility
• Creation and modification permissions
• Execution capabilities
• Compliance and audit actions
• User and organization management

Role definitions may evolve, but historical role assignments are preserved for audit purposes.

Authorization Enforcement

Before performing any action, Flask Track verifies:

• User authentication status
• Organization membership
• Role permissions
• Compliance authorization rules
• Regulatory or checklist-based blocking conditions

Authorization checks are enforced consistently across:

• Web UI
• APIs
• QR execution flows
• Automation and MCP agents

Elevated and Sensitive Actions

Certain actions require elevated privileges, including:

• Managing organization members
• Changing user roles
• Approving compliance actions
• Creating or finalizing audits
• Modifying compliance frameworks

These actions are restricted to authorized roles and recorded in the audit log.

Service Accounts & Automation

Service accounts may be used for automation and API access.

Service accounts:

• Are scoped to a single organization
• Are assigned explicit roles or permissions
• Are subject to the same authorization rules as users
• Appear in audit logs with clear attribution

Automation does not bypass access control.

QR Code Execution Access

QR-based execution actions require:

• Authenticated users
• Active organization membership
• Sufficient role permissions
• Compliance conditions to be met

QR codes do not embed credentials and do not grant access on their own.

Administrative Access

Platform-level administrative access is restricted to authorized personnel.

Administrative actions are:

• Logged
• Reviewed
• Limited to operational necessity

Customer data is not accessed except as required for support, security, or incident response.

Audit Logging of Access Control

The following events are recorded in the audit log:

• User logins and logouts
• Role assignments and changes
• Organization membership changes
• Authorization decisions for sensitive actions
• API authentication events

Audit records are immutable.

Account Deactivation and Revocation

When a user is deactivated:

• Login access is revoked
• Historical attribution is preserved
• Audit records remain intact

Access tokens and credentials may be revoked immediately.

Customer Responsibilities

Customers are responsible for:

• Assigning appropriate roles
• Reviewing access periodically
• Removing access for departing users
• Ensuring service accounts are managed securely

Policy Review

This Access Control Policy is reviewed periodically and updated as platform capabilities evolve.

Summary

Flask Track enforces strict, role-based access control across all interaction modes.

Access is:

• Explicit
• Auditable
• Organization-scoped
• Consistently enforced

This ensures customer data protection, operational integrity, and regulatory defensibility.