Jordan Berry

BERRY PLATFORM™ Information Security Policy: Access Control Version 1.0 — Internal Governance Document Aligned with ISO/IEC 27001:2022 1. Purpose The purpose of this policy is to ensure that access to BERRY PLATFORM™ information systems, data, and forensic subsystems is controlled, authorized, and monitored in accordance with the principles of confidentiality, integrity, availability, and evidential reliability. This policy establishes the rules governing user access, privileged access, authentication, and lifecycle management. 2. Scope This policy applies to: All personnel with access to Berry systems All subsystems (Ledger Parser, Chain Indexer, Evidence Extractor, Explorer, Telemetry Engine) All cloud infrastructure and administrative interfaces All third‑party integrations All devices used to access Berry systems 3. Access Control Principles Berry enforces the following principles: 3.1 Least Privilege Users receive the minimum access required to perform their duties. 3.2 Need‑to‑Know Access to sensitive or forensic data is restricted to authorized roles. 3.3 Role‑Based Access Control (RBAC) Access is assigned based on defined roles and responsibilities. 3.4 Segregation of Duties Critical functions are separated to reduce risk of misuse. 3.5 Zero‑Trust Enforcement Every request is authenticated, validated, and monitored. 4. User Access Management 4.1 User Registration All access requests must be approved by the relevant subsystem owner. Identity verification is required prior to account creation. 4.2 User Deregistration Access is revoked immediately upon termination or role change. Accounts inactive for 90 days are disabled. 4.3 Access Reviews Quarterly access reviews are performed by the Security Lead. Privileged accounts are reviewed monthly. 5. Authentication Requirements 5.1 Multi‑Factor Authentication (MFA) Mandatory for: Administrative access Production systems Forensic subsystems Remote access 5.2 Password Requirements Minimum length: 12 characters Complexity enforced Rotation every 180 days Password reuse prohibited 5.3 API Authentication OAuth2 or signed tokens Keys rotated every 90 days 6. Privileged Access Management 6.1 Definition Privileged access includes: System administrators Subsystem owners Database administrators Cloud infrastructure operators 6.2 Controls Privileged accounts are separate from user accounts. All privileged actions are logged and monitored. Just‑in‑time access is used where possible. 7. Access to Forensic Data 7.1 Evidence Access Restrictions Only authorized investigators and subsystem owners may access forensic artefacts. Evidence is immutable and cannot be altered. 7.2 Chain‑of‑Custody Enforcement All access to evidence is logged with timestamp, user ID, and purpose. 8. Remote Access Controls Remote access requires VPN or secure tunnel. Remote sessions must use encrypted channels. Public Wi‑Fi is prohibited unless using approved secure methods. 9. Monitoring & Logging All authentication events are logged. Privileged actions are monitored in real time. Alerts are generated for anomalous access patterns. 10. Third‑Party Access Third‑party access requires a signed agreement. Access is time‑bound and purpose‑specific. Third‑party activity is monitored continuously. 11. Enforcement & Violations Violations of this policy may result in: Access revocation Disciplinary action Legal consequences 12. Review & Maintenance This policy is reviewed annually or upon significant system changes. Updates require approval from the ISMS Owner. Document Classification Internal — Confidential This document forms part of the BERRY PLATFORM™ ISMS governance suite.