Access Control
Last reviewed: April 2026
Customer authentication
Customer authentication is administered by Clerk, which holds SOC 2 Type 2, HIPAA, ISO 27001, GDPR, PCI, FedRAMP, and CSA Star Level 1 certifications. The platform supports multi-factor authentication, single sign-on, and OAuth via Google. Credentials are never stored by User Intuition directly.
Internal access
Multi-factor authentication is mandatory for all User Intuition personnel accessing production systems. Access follows the principle of least privilege: each role receives only the permissions required for its function, and access is reviewed quarterly. Privileged access to production data is limited to founders and engineering personnel, and is logged by each underlying platform.
Personnel security
Background checks are performed at the time of hire for all personnel with access to customer data, in accordance with our internal HR Policy. All personnel sign confidentiality agreements and complete annual security awareness training, which covers phishing recognition, password hygiene, secure handling of customer data, and incident reporting.
Access provisioning and deprovisioning
Access is provisioned only after manager approval and only for the systems required by role. On termination or role change, access is revoked within one business day via a documented offboarding checklist that covers each platform.
Customer-managed keys
Customer-managed encryption keys (BYOK / CMEK) are not currently offered. Encryption keys are managed by Supabase. See data protection for details.