Security & Access

This page covers how Inkblot handles security, access control, and data protection. Everyone on the team is responsible for maintaining good security practices.

Access Control

Principle of Least Privilege

Team members are granted access only to the tools, repositories, and data they need for their current role and projects
Access is reviewed when team members change roles or projects
Admin access is restricted to team leads and management:
- ClickUp admin: Adriana van Rooyen, Jonathan de Kock
- GitHub org admin: Jonathan de Kock
- Vercel admin: Jonathan de Kock
- Google Workspace admin: Jonathan de Kock
- Figma admin: Lea Terblanche

Access Reviews

Access is reviewed during onboarding and offboarding
Periodic reviews are conducted to ensure no unnecessary access persists
When a project is completed or decommissioned, project-specific access (e.g., Sanity studio, client repositories) should be cleaned up

Passwords & Authentication

Password Requirements

Use a unique, strong password for every service (minimum 12 characters, mix of letters, numbers, and symbols)
Use a password manager to generate and store passwords securely
Never reuse passwords across services
Never share passwords via Slack, email, or any unencrypted channel

Two-Factor Authentication (2FA)

2FA is required on the following services:

GitHub
Google Workspace (@inkblot.co.za accounts)
Vercel
Sanity

2FA is strongly recommended on all other services that support it. Use an authenticator app (e.g., Google Authenticator, Authy) rather than SMS where possible.

Data Handling

Client Data

Client data is stored on Google Drive in organised, access-controlled folders
Do not store client data on personal devices outside of active working sessions
Do not share client data with third parties without explicit permission
When a project is completed, ensure all client data is properly filed in the correct Google Drive folder

Sensitive Information

Never commit secrets, API keys, passwords, or tokens to Git repositories
Use environment variables (via Vercel, .env.local files) for sensitive configuration
.env files should be listed in .gitignore and never committed
If a secret is accidentally committed, rotate it immediately and notify Jonathan

Code Repositories

All code repositories are hosted on GitHub under the Inkblot organisation
Repositories should be private by default unless there is a specific reason to make them public
Use branch protection rules on main to prevent direct pushes

Incident Response

If you suspect or discover a security incident (e.g., compromised account, data leak, unauthorised access):

Act immediately — Change the compromised password and revoke any affected access tokens
Notify Jonathan de Kock — Contact Jonathan immediately via Slack DM or phone
Document — Write down what happened, when you noticed it, and what actions you took
Contain — Work with Jonathan to limit the impact (e.g., rotate API keys, revoke sessions, notify affected clients)
Review — After the incident is resolved, conduct a brief post-mortem to identify how it happened and how to prevent it in the future

Do not delay reporting. Early detection and response limits the damage from security incidents.

Device Security

All devices used for Inkblot work must meet these requirements:

Screen lock — Enable automatic screen lock after 5 minutes of inactivity
Disk encryption — Enable full-disk encryption (FileVault on macOS, BitLocker on Windows)
Software updates — Keep your operating system, browser, and development tools up to date. Apply security patches promptly.
Antivirus — Use the built-in OS protection at minimum (macOS Gatekeeper/XProtect, Windows Defender)
Secure network — Avoid working on unsecured public Wi-Fi. Use a VPN if working from a public location.
Physical security — Do not leave your laptop unattended in public spaces