Account Management Policy

1. Overview and Scope

This section establishes the foundational principles and scope of our account management framework, defining how user accounts are governed across the platform.

This Account Management Policy defines the procedures, security requirements, and access controls for user accounts within our Blazor application platform. This policy governs account creation, authentication, role-based access control, team management, and account lifecycle management.

1.1 Policy Objectives

Outlines the key goals and principles that guide all account management decisions and implementations.

• Ensure secure and controlled access to platform resources
• Implement role-based access control with granular permissions
• Maintain audit trails for all account-related activities
• Provide clear procedures for account recovery and deletion
• Establish team management and collaboration frameworks

2. Account Creation and Registration

Details the processes and requirements for creating new user accounts, including registration methods and verification procedures.

2.1 Account Registration Methods

Describes the various ways users can create accounts on the platform, including both direct registration and third-party authentication.

Primary Registration:

• Email/Password: Direct registration with email verification required
• Google OAuth: Single sign-on using Google authentication (no additional verification required)
• Facebook OAuth: Single sign-on using Facebook authentication (no additional verification required)

Registration Process:

1. Initial Registration: User provides email and creates password or uses OAuth
2. Email Verification: Confirmation email sent to registered address (only for email/password registration)
3. Account Activation: Email/password accounts activated after email confirmation; OAuth accounts activated immediately
4. Stripe Integration: Customer record automatically created in Stripe system
5. Welcome Process: User guided through initial setup and feature introduction

2.2 Password Requirements

Establishes the security standards and complexity requirements for user passwords to ensure account protection.

2.3 Account Verification

Outlines the verification processes required to confirm user identity and activate account functionality.

• Email Verification: Required only for email/password registration
• OAuth Verification: No additional verification required for Google/Facebook OAuth
• Account Status: Unverified email/password accounts have limited functionality
• Verification Expiry: Email verification links expire after 24 hours

3. Authentication and Login Security

Defines the security measures and protocols that protect user accounts during authentication and session management.

3.1 Authentication Methods

Specifies the supported authentication mechanisms and their technical implementation details.

Supported Login Methods:

• Email and password with ASP.NET Core Identity
• Google OAuth 2.0 authentication
• Facebook OAuth 2.0 authentication

Authentication Configuration:

3.2 Session Management

Establishes policies for managing user sessions, including duration, security, and validation procedures.

• Session Duration: 24 hours of inactivity before automatic logout
• Secure Cookies: All authentication cookies secured with HTTPS
• Session Validation: Continuous validation of authentication state
• Concurrent Sessions: Multiple sessions allowed but tracked for security

3.3 Failed Authentication Handling

Details the procedures for handling failed login attempts and protecting against brute force attacks.

• Lockout Policy: Account lockout after multiple failed login attempts
• Monitoring: Failed login attempts logged and monitored
• Alerts: Unusual login patterns trigger security alerts
• Recovery: Account recovery through verified email address

4. Role-Based Access Control (RBAC)

Defines the comprehensive framework for managing user permissions and access levels across the platform.

4.1 Role Architecture

Establishes the structure of user roles and their corresponding access levels within the system.

Predefined System Roles:

• Account Owner: Full administrative access to account and all resources
• Administrator: Full access to account features and team management
• Expert Editor: Can configure the AI avatars that respond to customer communications
• Response Editor: Can authorize automatic responses, make edits, and provide notes to the AI about response quality
• Reader: Can view the dashboard and read conversations generated by the AI

Note: Additional predefined roles may be available based on platform requirements.

4.2 Permission Granularity

Details the specific permissions available within the system and how they can be assigned to different roles.

Permission Groups:

• Account: Permissions related to account management, billing, and administrative functions
• Expert: Permissions for configuring AI avatars, response templates, and AI behavior settings
• Integrations: Permissions for connecting and managing social media platform integrations
• Interactions: Permissions for managing customer communications, responses, and conversation oversight

Integration Access Control:

• Platform-Agnostic Permissions: Permissions are not specific to individual social media platforms
• User-Level Restrictions: Team members can be restricted to work on specific integrations
• Flexible Assignment: Users can have access to multiple integrations based on team assignments
• Granular Control: Integration access can be controlled at the individual user level within teams

4.3 Custom Role Creation

Describes the functionality for creating and managing custom roles tailored to specific organizational needs.

• Role Builder: Administrators can create custom roles
• Permission Matrix: Granular permission assignment interface
• Role Templates: Pre-configured role templates for common use cases

5. Team Management

Outlines the framework for organizing users into teams and managing collaborative access to platform resources.

5.1 Team Structure

Defines how teams are organized and how they relate to resource access and user permissions.

• Team Creation: Account owners can create multiple teams
• Cross-Team Access: Users can belong to multiple teams with different roles
• Team Resources: Resources can be assigned to specific teams
• Integration Assignment: Individual team members can be restricted to specific integrations

5.2 Team Member Management

Details the processes for inviting, managing, and removing team members from the platform.

Invitation Process:

1. Invitation: Team admin sends invitation via email
2. Registration: Invitee creates account or uses existing account
3. Role Assignment: Specific role assigned during invitation
4. Acceptance: Invitee accepts invitation to join team
5. Access Activation: Permissions activated immediately upon acceptance

Member Management:

• Role Modification: Team admins can change member roles
• Access Suspension: Temporary suspension of access without removal
• Member Removal: Complete removal from team and resource access
• Audit Trail: All team changes logged with timestamps and actors

5.3 Team Permissions

Specifies how permissions are applied at the team level and how they enable collaborative workflows.

• Resource Access: Teams have access to specific social media integrations
• Content Management: Team-based content creation and management
• Analytics: Team-specific analytics and reporting
• Collaboration: Shared workspaces and collaborative features

6. Account Lifecycle Management

Covers the complete lifecycle of user accounts from activation to deletion, including all intermediate states and transitions.

6.1 Account Activation

Describes the various scenarios and processes for activating user accounts after creation or suspension.

• New Accounts: Activated after email verification (email/password) or immediately (OAuth)
• Suspended Accounts: Reactivated by administrators
• Locked Accounts: Unlocked after security verification
• Expired Accounts: Reactivated with updated terms acceptance

6.2 Account Suspension

Outlines the different types of account suspension and the procedures for temporary access restriction.

• Temporary Suspension: Account access temporarily disabled
• Violation Suspension: Suspended for terms of service violations
• Security Suspension: Suspended for security concerns
• Reactivation Process: Clear process for account restoration

6.3 Account Deletion Process

Details the immediate and permanent process for removing user accounts and associated data from the platform.

User-Initiated Deletion:

1. Deletion Request: User initiates deletion through account settings
2. Multiple Warnings: System provides multiple confirmation warnings to prevent accidental deletion
3. Immediate Deletion: Account and data are permanently deleted immediately upon final confirmation
4. Email Removal: User email address is immediately removed from Klaviyo
5. Stripe Handling: Stripe customer ID is temporarily retained and marked as deleted in the app

Deletion Scope:

• User Profile: Complete profile and authentication data removal
• Social Media Data: All posts, messages, and generated replies deleted
• Team Memberships: User removed from all teams and roles
• Integration Access: All social media platform connections terminated
• System Data: User references removed from logs (where legally possible)
• Klaviyo Data: Email address immediately removed from Klaviyo system

6.4 Account Recovery

Specifies that deleted accounts cannot be recovered due to immediate permanent deletion.

• No Recovery: Deleted accounts cannot be recovered
• Permanent Deletion: All data is permanently removed immediately
• Warning System: Multiple warnings prevent accidental deletion
• New Account Creation: Users must create new accounts if needed

7. Stripe Integration and Billing

Defines the integration with Stripe payment processing and how billing information is managed throughout the account lifecycle.

7.1 Customer Account Creation

Outlines the automatic creation and synchronization of customer records with the Stripe billing system.

• Automatic Creation: Stripe customer created for each new account
• Email Synchronization: Customer email synchronized with account email
• Customer ID Storage: Stripe customer ID stored in user profile
• Billing Information: Users can fill out billing information through our interface
• Stripe Storage: All billing information, payment methods, and invoices are stored by Stripe
• No Local Storage: We do not store billing information locally

7.2 Billing Management

Details the self-service billing features available to users for managing their subscription and payment information.

• Subscription Management: Users can manage subscriptions through platform interface
• Invoice Access: Users can view and download invoices (retrieved from Stripe)
• Payment Methods: Users can add/remove payment methods (managed by Stripe)
• Billing History: Complete billing history accessible through Stripe integration
• Information Editing: Users can edit billing information through our interface, which is sent to Stripe
• Stripe Integration: All billing data is stored and managed by Stripe, not locally

7.3 Account Deletion and Billing

Explains how billing data is handled when accounts are deleted, including legal retention requirements.

• Customer Retention: Stripe customer ID temporarily retained and marked as deleted
• Delayed Purge: Stripe customer data purged after billing settlement and invoice finalization
• Invoice Preservation: All invoices preserved in Stripe for legal/tax requirements
• Payment Data: No payment card data stored in our systems
• Billing Queries: Support for billing-related inquiries through Stripe integration

8. Social Media Integration Management

Covers the secure management of connections to multiple social media platforms and associated permissions.

8.1 Integration Authorization

Details the OAuth-based authorization process for connecting to social media platforms and managing access tokens.

• OAuth Flow: Standard OAuth 2.0 flow with supported platforms
• Permission Scopes: Granular permission requests for specific features
• Token Management: Secure storage and management of access tokens
• Refresh Handling: Automatic token refresh and error handling

8.2 Supported Platform Integrations

Lists all supported social media platforms and their specific integration capabilities.

Supported Platforms:

• Facebook Business Pages: Post management and comment responses
• Facebook Direct Messages: Business page messaging automation
• Instagram Posts: Post management through Facebook business pages
• Instagram Direct Messages: Message automation and responses
• WhatsApp Business: Business messaging and customer communication
• YouTube: Channel management and comment responses
• Telegram BOT: Bot management and automated responses
• Mercado Libre: Customer communication and support automation

8.3 Account Connection

Describes how users can connect multiple social media accounts and how these connections are verified and monitored.

• Multiple Accounts: Users can connect multiple accounts per platform
• Account Verification: Verification of account ownership through OAuth
• Permission Validation: Regular validation of granted permissions
• Connection Status: Real-time status monitoring of all integrations

8.4 Integration Security

Outlines the security measures implemented to protect social media integration tokens and prevent unauthorized access.

• Token Encryption: All access tokens encrypted before storage
• Token Rotation: Regular token validation and refresh
• Permission Auditing: Regular audit of requested permissions
• Connection Monitoring: Monitoring for unauthorized access attempts

9. Audit and Monitoring

Establishes comprehensive logging and monitoring systems to track all account-related activities and security events.

9.1 Account Activity Logging

Specifies what account activities are logged and how this information is used for security and compliance purposes.

• Authentication Events: All login/logout activities logged
• Permission Changes: Role and permission modifications tracked
• Team Activities: Team membership changes recorded
• Integration Events: Social media account connections/disconnections logged

9.2 Security Monitoring

Details the proactive monitoring systems in place to detect and respond to potential security threats.

• Suspicious Activity: Unusual login patterns and access attempts
• Failed Authentication: Multiple failed login attempts tracked
• Privilege Escalation: Unauthorized permission changes detected
• Data Access: Unusual data access patterns monitored

9.3 Compliance Reporting

Outlines the regular reporting and auditing processes that ensure ongoing compliance with security and regulatory requirements.

• Access Reports: Regular reports on user access and permissions
• Security Metrics: Monthly security dashboards and KPIs
• Compliance Audits: Annual compliance reviews and certifications
• Incident Reports: Detailed reports on security incidents

10. Data Protection and Privacy

Defines how personal data is handled, user rights are protected, and privacy regulations are complied with across the platform.

10.1 Personal Data Handling

Establishes the principles and practices for collecting, storing, and processing personal data in compliance with privacy regulations.

• Data Minimization: Only necessary data collected and stored
• Purpose Limitation: Data used only for stated purposes
• Accuracy Maintenance: Users can update personal information
• Storage Limitation: Data retained only as long as necessary

10.2 User Rights

Outlines the rights granted to users regarding their personal data and how these rights can be exercised.

• Access Rights: Users can download their account data
• Rectification: Users can correct inaccurate information
• Deletion Rights: Complete account and data deletion
• Portability: Data export in structured format
• Objection Rights: Users can object to certain processing activities

10.3 Consent Management

Details the systems and processes for managing user consent for data processing activities.

• Explicit Consent: Clear consent for data processing activities
• Consent Withdrawal: Users can withdraw consent at any time
• Consent Records: All consent actions logged and tracked
• Regular Review: Consent validity regularly reviewed and updated

11. Internal User Access

Governs how internal employees and administrators access customer data and system resources, ensuring proper controls and accountability.

11.1 Employee Access Controls

Establishes the framework for managing internal user access to platform resources and customer data.

• Role-Based Access: Internal users assigned specific roles
• Need-to-Know: Access granted based on job requirements
• Regular Review: Access permissions reviewed quarterly
• Termination Process: Immediate access revocation upon termination

11.2 Customer Data Access

Defines the strict protocols for internal access to customer data, including approval processes and audit requirements.

• Support Access: Limited access for customer support purposes
• Approval Process: Management approval required for sensitive data access
• Audit Trail: All internal access activities logged
• Data Handling: Strict protocols for handling customer data

11.3 Administrative Access

Outlines the enhanced security measures and monitoring required for system administrative access.

• System Administrators: Full system access with enhanced monitoring
• Database Access: Restricted database access with approval requirements
• Emergency Access: Emergency access procedures for critical situations
• Access Monitoring: Enhanced monitoring for all administrative activities

12. Incident Response

Establishes procedures for responding to security incidents, account compromises, and data breaches affecting user accounts.

12.1 Account Compromise

Defines the immediate response procedures when user accounts are suspected of being compromised.

• Detection: Automated detection of compromised accounts
• Response: Immediate account suspension and user notification
• Investigation: Detailed investigation of compromise circumstances
• Recovery: Secure account recovery process

12.2 Data Breach Response

Outlines the comprehensive response plan for data breaches that may affect user account information.

• Containment: Immediate steps to prevent further data exposure
• Assessment: Detailed assessment of breach scope and impact
• Notification: User and regulatory notification as required
• Remediation: Comprehensive remediation and security improvements

13. Policy Compliance and Review

Establishes the framework for maintaining, updating, and ensuring compliance with this account management policy.

13.1 Policy Updates

Defines the process for reviewing and updating this policy to ensure it remains current and effective.

• Regular Review: Annual policy review and updates
• Change Management: Formal change approval process
• Communication: Policy changes communicated to all users
• Training: Regular training on policy requirements

13.2 Compliance Monitoring

Outlines the ongoing monitoring and auditing processes to ensure adherence to policy requirements.

• Automated Monitoring: Continuous monitoring of policy compliance
• Manual Audits: Regular manual audits of account management practices
• Corrective Actions: Immediate corrective actions for non-compliance
• Reporting: Regular compliance reporting to management

14. Support and Contact Information

Provides contact information for various types of support and assistance related to account management issues.

Account Support: account@icloneu.ai
Security Issues and Privacy Concerns: wecare@icloneu.ai
Technical Support: support@icloneu.ai

Address: Paseo de los Laureles 404 - 201. Mexico City, 05120, Mexico