I. Policy Statement

This Access Control Policy defines the standards for the control of access to Axolt’s information
assets across our locations in the UK, India, and Canada. It establishes guidelines to limit access to
authorized users, processes, and devices to prevent unauthorized access and ensure our assets are
managed in line with the assessed risk.

II. Scope

This policy applies to all Aqxolt employees, contractors, consultants, and third parties involved in
managing or utilizing Aqxolt’s digital resources. This includes our Salesforce instances, Amazon
AWS, Heroku, and Digital Ocean servers, and any equipment used to access these services.

III. Definitions

• Access: The ability to interact with a resource (e.g., enter a server room, open a file).
• User: Any person who has been authorized to access an IT system.
• Assets: Any data, device, or other component of the environment that supports
information-related activities.
• etc.

IV. User Access Management

User Registration and De-provisioning: New users will be registered with unique credentials. User rights are to be removed when an
individual leaves the company or changes positions.

Privilege Management:
Access privileges are granted based on the principle of least privilege. Users are provided the
minimum levels of access required to perform their job functions.

User Responsibilities:
Users must safeguard their access credentials and must not share them under any circumstances.
All actions performed with a user’s credentials will be attributed to the user.

V. System and Application Access Control

Secure Log-on Procedures: Secure log-on procedures include password complexity requirements, multi-factor authentication
where appropriate, and ensuring login information is transmitted over secure channels.
Password Management:
Passwords must be changed regularly, and old passwords should not be reused. Procedures are in
place for lost or forgotten passwords.
Unattended User Equipment:
Users must secure unattended equipment, either by locking it or logging off.
Clear Desk and Clear Screen Policy:
Sensitive information should not be left visible on unattended screens or desks.

VI. Network Access Control
Policy on Use of Network Services:

Network services must be used for business purposes only. Unnecessary services should be
disabled to reduce the potential attack surface.
Enforcement of Network

Access Controls:
Firewalls, intrusion detection systems, and other security measures are in place to restrict network
access.
User Authentication for External Connections:
Remote connections must be secured with VPN or equivalent technologies. Multi-factor
authentication should be used where appropriate.

VII. Physical Access Control
Secure Areas:

Access to server rooms and other secure areas is limited to authorized personnel only.
Visitor Access:
Visitors must be accompanied by an authorized staff member at all times when in secure areas.

VIII. Access Control to Program Source Code

Access to source code is restricted to authorized personnel only and is monitored to prevent
unauthorized access and potential tampering.

IX. Policy Compliance

Compliance Measurement:
The IT team will verify compliance to this policy through various methods, including but not
limited to, business tool reports, internal and external audits.
Exceptions:
Any exception to the policy must be approved by the IT team in advance.
Non-Compliance:
An employee found to have violated this policy may be subjected to disciplinary action, up to and
including termination of employment.

X. Related Standards, Policies, and Processes
• Axolt Data Protection Policy
• Axolt IT Equipment Usage Policy
• etc.

XI. Revision History

This policy will be reviewed and updated on an annual basis, or as required in response to
significant changes in the organization or the regulatory environment. Any changes made to this
policy will be communicated promptly to all users.