Access Control Policy

Last updated: 10 March 2025

1. Introduction

Aspose Pty Ltd (Aspose) is a market-leading software development company that offers award-winning APIs for creating, editing, converting, and rendering various file formats such as Office, OpenOffice, PDF, Images, ZIP, CAD, XPS, EPS, and PSD. Our APIs support multiple platforms, including .NET, Java, C++, Python, PHP, Xamarin, and Android, along with reporting solutions for Microsoft SharePoint and rendering extensions for SQL Server Reporting Services and JasperReports.

At Aspose, securing access to our systems, data, and intellectual property is fundamental to maintaining operational excellence and customer trust.

2. Purpose

This Information Security Policy establishes the framework for protecting Aspose’s data, systems, and intellectual property. It ensures alignment with practices with recognized industry frameworks, minimizes security risks, and supports secure operations. The policy outlines roles, responsibilities, and principles governing the protection of information assets and ensures all personnel adhere to best practices in information security.

3. Scope

This policy applies to all employees, contractors, and authorized users of Aspose’s information systems and resources. It governs:

  • Handling of sensitive company and customer data.
  • Intellectual property
  • Customer support interactions
  • Access to both internal and customer-facing systems.

4. Roles and Responsibilities

4.1 Employees

  • Adhere to this policy and safeguard information resources.
  • Report any security incidents or suspicious activities promptly.
  • Use company systems and data for authorized purposes only.

4.2 Team Leads

  • Manage access requests, permissions, and role assignments for team members.
  • Periodically review access levels and ensure permissions align with job roles.
  • Report and escalate security concerns as needed.

4.3 IT Infrastructure and Security Team

  • Oversee system security, monitor access logs, and implement technical safeguards.
  • Conduct regular audits and vulnerability assessments.
  • Manage authentication mechanisms, including Multi-Factor Authentication (MFA).

4.4 Executive Management

  • Approve policies and ensure alignment with business objectives and regulatory requirements where appropriate.
  • Allocate resources for implementing and maintaining robust security measures.

4.5 Customers

  • Safeguard their account credentials and report security issues related to their Aspose subscriptions or interactions.

5. Access Control Principles

Aspose employs a strict access control framework to ensure data security:

  • Least Privilege: Users are granted the minimum access necessary to perform their roles.
  • Need to Know: Sensitive information is accessible only to those who require it for their responsibilities.
  • Role-Based Access Control (RBAC): Access permissions are aligned with defined roles such as engineering, support, or sales.
  • Segregation of Duties: Critical tasks are divided to reduce risk and ensure accountability.
  • Just-in-Time Access: Temporary access is granted for specific tasks and revoked after completion.
  • Authentication and Authorization: All systems are secured with MFA and Active Directory integration.

6. Data Classification and Sensitivity

Data is categorized into three levels, with protections applied accordingly:

  • Public Data: Openly accessible information such as product documentation and website content.
  • Confidential Data: Restricted to authorized personnel and includes product source code, sales records, and private customer support threads.
  • Highly Confidential Data: Limited to select individuals, such as financial data, intellectual property, and infrastructure details.

Sensitive data handling practices include:

  • Encrypted storage and transfer for all confidential data.
  • Secure access controls.
  • Regular access reviews.
  • Anonymization of customer-uploaded data where applicable.
  • Removal of customer-uploaded data as soon as possible.

7. Access Levels and Permissions

7.1 Roles and Permissions

Access is granted based on predefined roles:

  • Engineering: Access to development environments and source code repositories.
  • Support: Access to customer interactions and technical documentation.
  • Sales and Marketing: Access to sales data and licensing systems.
  • IT Infrastructure and Security: Full administrative access for system maintenance and security.
  • HR and Administration: Access to employee records and HR systems.

7.2 Temporary and Elevated Access

  • Just-in-Time Access: Granted for specific tasks requiring elevated privileges and revoked immediately after task completion.
  • Emergency Access: Temporary access granted in critical situations under strict monitoring.

7.3 Access Revocation

  • Permissions are promptly revoked when employees leave or transition to new roles.
  • Access rights are reviewed periodically to ensure continued alignment with responsibilities.

8. Remote Access Policy

To support Aspose’s working model, specific measures are in place to secure remote access:

  • VPN Usage: All remote connections to Aspose’s internal systems must use an encrypted VPN.
  • Multi-Factor Authentication (MFA): Remote access requires MFA to prevent unauthorized access.
  • Device Security:
    • Company-issued devices must have endpoint protection enabled.
    • Personal devices used for remote access must meet security standards defined by Aspose’s IT team.
  • Session Timeout: Remote sessions will automatically terminate after a period of inactivity.
  • Network Monitoring: Remote access activity is logged and monitored for unusual behavior.

9. Identity Access Management Policy

Aspose enforces detailed identity and access management (IAM) controls:

  • Role-Based Access Control (RBAC):
    • Access is granted based on defined roles, ensuring least privilege and need-to-know principles.
    • Permissions are reviewed periodically to ensure alignment with role responsibilities.
  • Provisioning and Deprovisioning:
    • New employee access requests must be reviewed and approved by the team lead and IT.
    • Access to systems is revoked immediately upon employee departure.
    • Just-in-Time (JIT) access for specific tasks is logged and revoked upon task completion.
  • Privileged Access:
    • Privileged accounts (e.g., system administrators) are subject to enhanced logging and monitoring.
    • Privileged access reviews are conducted quarterly to prevent permission creep.

10. Password Management Policy

Aspose enforces strict password controls to enhance security:

  • Length and Complexity:
    • Minimum password length: 12 characters.
    • Must include at least one uppercase letter, one lowercase letter, one number, and one special character.
  • Expiration and Rotation:
    • Passwords must be changed every 90 days.
    • Reuse of the last five passwords is prohibited.
  • Multi-Factor Authentication (MFA):
    • MFA is mandatory for all system access.
  • Account Lockout:
    • Accounts are locked after five failed login attempts within a 15-minute period.
    • Locked accounts require IT approval for reactivation.

11. Third-Party and Vendor Access Control

Aspose does not allow third parties or vendors to access internal systems or customer data. Exceptions are not permitted under normal circumstances. In rare cases where external access is necessary for legal or regulatory reasons, the following controls apply:

  • Temporary access must be explicitly approved by executive management.
  • Access must be time-limited and revoked immediately upon completion of the task.
  • External access is subject to full session recording and monitoring.

12. Device and Endpoint Security Policy

Aspose enforces strict controls over endpoint devices to prevent unauthorized access:

  • Device Encryption: All company-issued devices must be encrypted using industry-standard encryption methods.
  • Endpoint Protection: All endpoints must have endpoint detection and response (EDR) software installed and actively monitored.
  • Secure Configurations: All endpoints must be configured to comply with Aspose’s security guidelines.
  • Remote Wipe: Devices must be capable of being remotely wiped in case of loss or theft.
  • BYOD (Bring Your Own Device) Policy: Personal devices used for company work must meet Aspose’s security standards and be enrolled in mobile device management (MDM) if applicable.
  • Aspose’s full Endpoint Security Policy can be found here.

13. Service Accounts and API Access Control

Aspose enforces strict controls over service accounts and API access:

  • Non-Human Accounts: Service accounts must be treated as privileged accounts and reviewed quarterly.
  • API Authentication: API keys must be stored securely and rotated periodically.
  • Least Privilege: Service accounts and API keys are granted only the minimum permissions necessary.
  • Monitoring: Activity of service accounts and API usage is logged and monitored for anomalies.

14. User Offboarding and Dormant Accounts

Aspose maintains structured processes for user offboarding and dormant account management:

  • Immediate Revocation: All access rights are revoked within one hour of employee departure.
  • Dormant Account Monitoring: Accounts inactive for 90 days are automatically disabled.
  • Access Review: Dormant accounts are reviewed and deleted unless explicitly required for compliance.
  • Audit Trail: A full record of access revocation and account deletion is maintained for auditing purposes.

15. Security Incident Management

Aspose has defined procedures to handle security incidents, including:

  • Immediate identification and containment of threats.
  • Notification of relevant stakeholders.
  • Root cause analysis and implementation of corrective actions.

15.1 Incident Response for Access Violations

Aspose has defined specific procedures for responding to access-related incidents:

  • Automated Lockouts: Accounts involved in unauthorized access attempts will be automatically locked.
  • Root Cause Analysis: All access-related incidents will undergo a formal root cause analysis.
  • Corrective Action: Findings from incident reviews will inform updates to access control measures.
  • Post-Incident Reporting: Security incidents related to access control will be reported to executive management.

Aspose is committed to complying with all applicable legal, regulatory, and industry requirements related to this policy. Where specific regulations or standards apply, Aspose will ensure alignment to protect customer data, meet business obligations, and maintain operational integrity.

16.1. Compliance Principles

  • Adherence: Aspose follows all relevant legal and regulatory requirements applicable to its operations and systems.
  • Alignment with Standards: While Aspose may not hold formal certifications, it aligns its practices with recognized industry frameworks and best practices to ensure compliance.

16.2. Ongoing Compliance Monitoring

Aspose regularly reviews its internal processes, policies, and product offerings to ensure ongoing compliance with relevant laws and industry standards.

Compliance audits and reviews are conducted periodically to ensure the effectiveness of security and privacy controls.

17. Employee Training and Awareness

Aspose emphasizes equipping all employees with the knowledge and tools required to understand, implement, and maintain secure access controls. Training initiatives ensure that employees contribute to the company’s secure access management practices.

17.1 Access Control Training Programs

  • Onboarding Training: New employees undergo training that covers fundamental access control concepts, including least privilege, need-to-know principles, secure authentication, and proper handling of sensitive systems and data.
  • Ongoing Awareness: Regular training sessions and updates ensure employees remain informed about access control policies, secure system use, and evolving threats to access management.

17.2. Role-Specific Training

Employees in specific roles receive tailored training to enhance their understanding of access control practices:

  • System Administrators and IT Staff: Training on implementing and maintaining access controls, including Multi-Factor Authentication (MFA), Just-in-Time Access, and role-based access controls (RBAC).
  • Team Leads and Managers: Training on reviewing and managing team access permissions and ensuring compliance with role assignments.
  • Support and Development Teams: Awareness of secure handling of access credentials and systems to minimize unauthorized access risks.

17.3. Access Control Awareness Culture

Aspose fosters a security-first approach to access control by:

  • Reinforcing access control responsibilities through communications from leadership.
  • Encouraging employees to report any access control issues through secure and confidential reporting channels.
  • Sharing regular updates, internal communications, and alerts regarding secure access practices and emerging risks.

17.4. Continuous Improvement

Employee feedback on access control training is actively encouraged to ensure it remains relevant and effective.

Post-Incident Debriefing: Following an access-related incident, teams will review and update training processes to address gaps and improve access control measures.

18. Policy Compliance and Enforcement

To maintain the integrity of access control, compliance with this policy is mandatory for all employees, contractors, and third-party partners.

18.1. Access Control Policy Compliance

  • Mandatory Adherence: All personnel must adhere to the Access Control Policy, including its principles (Least Privilege, Need-to-Know, RBAC, and MFA).
  • Policy Acknowledgment: Employees formally acknowledge their responsibilities regarding access control upon onboarding and during significant policy updates.
  • Periodic Reviews and Updates: This policy will be reviewed regularly to ensure its relevance and alignment with evolving industry standards, legal requirements, and business needs. All stakeholders will be informed of any updates, and necessary re-training will be provided.

18.2. Monitoring and Auditing

  • Access Reviews: Periodic audits will review employee permissions to ensure alignment with job roles and responsibilities.
  • Continuous Monitoring: Automated tools monitor access logs, identify anomalies, and ensure unauthorized access is promptly addressed.
  • Self-Assessments: Employees are encouraged to verify their access permissions and report discrepancies for immediate correction.

18.3. Non-Compliance Consequences

Violation of Policy: Violations of the Access Control Policy will result in disciplinary actions, including but not limited to:

  • Corrective Actions: Retraining, formal warnings, or adjustments to access permissions.
  • Access Restrictions: Immediate revocation of unauthorized or misused access rights.
  • Termination: Repeated or severe policy violations may lead to termination of employment or contracts.
  • Legal Action: Serious violations, such as intentional misuse of access privileges, may result in legal consequences.

18.4. Accountability and Enforcement

  • Incident Management: Access-related incidents are handled following incident response procedures, with immediate containment and root cause analysis. Unintentional violations due to lack of understanding will prioritize retraining over disciplinary action.
  • Disciplinary Process: Investigations will be overseen by HR and IT Security teams to determine the appropriate actions.
  • Escalation: Critical breaches or repeated non-compliance will be escalated to senior management for further review.

18.5. Continuous Improvement

Feedback Loop: Aspose encourages feedback from employees and other stakeholders to continuously improve the Access Control Policy and its enforcement mechanisms. This includes regular reviews of of access control practices and the identification of potential policy gaps or inefficiencies. Feedback may be provided through periodic reviews, training, and incident analysis.

Training and Awareness: Non-compliance or misuse due to a lack of understanding or awareness will be addressed through enhanced training programs and updated communication channels. These initiatives ensure all employees, contractors, and stakeholders are fully aware of their responsibilities and best practices under the Access Control Policy.

19. Periodic Review and Policy Updates

Periodic Review: This Access Control Policy will be reviewed periodically or as required to address emerging threats, regulatory changes, or Aspose’s evolving operational needs. This ensures the policy remains aligned with current access control best practices and business requirements.

Policy Updates: Updates to the policy will be communicated to all employees, contractors, and relevant stakeholders. Any significant changes will be accompanied by training or guidance to ensure continued adherence to access control principles.

20. Policy Management

Aspose is a privately held company. Our policies are reviewed and maintained by the leadership team to keep them aligned with our business goals and industry standards.

This policy is live and effective as of the Last Updated date at the top of this document. Updates reflect changes in our business practices, customer feedback, and compliance requirements.