Purpose

This policy establishes how access to the Tropos Alerts Incident Management and On-Call Scheduling platform is provisioned, managed, and monitored to protect customer data, ensure regulatory compliance, and maintain service reliability.

Scope

Applies to all Tuple Technologies employees, contractors, customers, and partners who access Tropos Alerts systems and data across production, staging, and support environments.

Access Control Principles

  • Least Privilege: Users are granted the minimum level of access required to perform their roles.
  • Role-Based Access Control (RBAC): Permissions are aligned with functional roles (Admin, Manager, Responder, Viewer).
  • Segregation of Duties: Administrative functions are separated to prevent misuse.

Authentication & Identity Management

  • Single Sign-On (SSO): Tropos Alerts integrates with Google, Azure AD, and Okta SSO for centralized identity management.
  • Multi-Factor Authentication (MFA): Enforced for all users as an additional security layer.
  • Password Policy: For non-SSO accounts, passwords must follow industry best practices (minimum 12 characters, complexity, rotation every 90 days).

Provisioning & De-Provisioning

  • Onboarding: Access is provisioned through HR or customer admin request, requiring managerial approval.
  • Offboarding: Access is revoked immediately upon employee termination, contract end, or customer request.
  • Periodic Review: Access rights are reviewed quarterly to ensure compliance with least privilege principles.

Session & Activity Management

  • Timeouts: Sessions automatically expire after 15 minutes of inactivity.
  • Audit Logging: All authentication, authorization changes, and incident escalations are logged and monitored.
  • Monitoring: Continuous monitoring is in place via Tuple’s Security Shield service to detect anomalies and unauthorized access attempts.

Data Security

  • Encryption: All data is encrypted at rest and in transit using industry-standard protocols.
  • Custom Security Policies: Customers may define their own access and escalation rules.
  • Compliance: Tropos Alerts supports SOC 2, FINRA, and other regulatory compliance requirements as part of Tuple’s broader IT and cybersecurity governance.

Third-Party & Integration Access

  • API Access: Authentication tokens are scoped to the minimum necessary permissions.
  • Integrations: JIRA, Slack, Teams, and other ITSM integrations follow the same authentication and encryption standards.

Incident Response & Access Violations

  • Detection: Unauthorized access attempts trigger alerts via SMS, Email, or Voice escalation.
  • Response SLA: Tuple commits to 30-minute incident response for security events through Security Shield.
  • Remediation: Accounts suspected of compromise are immediately disabled pending investigation.

Policy Review & Updates

This policy is reviewed annually and updated to align with evolving cybersecurity standards, customer requirements, and regulatory changes.