Access control

Access tiers

Tier	Can access	Provisioned by
Admin	GCP, Cloudflare, GitHub org admin, 1Password admin	Jens
Engineering	GitHub org, Cloud Run logs (read), staging DB (read)	Manager request
Ops	Production DB (read), Cloud Run deploys, secrets	Manager + 2nd reviewer
Support	Customer tenants via impersonation (audit logged), Linear, support inbox	Manager request
External contractor	Narrow scope per contract; time-boxed access	Jens + contract

Provisioning a new employee

1. Google Workspace account (firstname@tappass.ai) with 2FA enforced
2. GitHub org invite — requires SSO sign-in, FIDO2 for admins
3. 1Password — assign to the right vault (Engineering / Ops / GTM)
4. Cloudflare — add to the account, scope access to relevant zones
5. Slack — invite to needed channels only
6. PagerDuty — only if they’re in an on-call rotation

Offboarding

Execute within 4 hours of departure (or immediately if involuntary):

1. Suspend Google Workspace (kills SSO into everything that federates)
2. Remove from GitHub org
3. Remove from 1Password → rotate any vaulted shared secrets they had access to
4. Remove from Cloudflare
5. Remove from PagerDuty schedules
6. Remove from Slack
7. Revoke any personal tp_ keys associated with their email
8. Audit: check their recent commits, PRs, and support interactions for anything that needs follow-up

Cloudflare Access for internal sites

This site (internal-docs.tappass.ai) is protected by Cloudflare Access. Policy:

• Include: email domain ends with @tappass.ai
• Require: identity provider: Google Workspace (SSO)
• Session: 24h

See the docs-internal/README.md for setup steps.

Secret access

• Runtime secrets in Google Secret Manager — IAM scoped
• Human access via 1Password only
• No secrets in repo, not even in .env.example (use placeholders)
• No secrets in Slack / Linear / PR descriptions
• Rotate on suspicion of leak — see Rotate API keys