SCOPE
Document scope
User API keys, tenant API keys, internal service credentials, provider keys, integration tokens, and secret material used by the SaaS layer.
Status: first operational draft, pending legal review. It must be reviewed by counsel, the privacy owner, and the security owner before it is published as a binding policy or attached to a signed enterprise agreement.
§ 01
Creation and storage
API keys are generated with sufficient entropy and shown only at creation time when possible.
Secret values must be stored as hashes, encrypted secrets, or provider-managed secret references. Plaintext secrets must not appear in logs, analytics, screenshots, test fixtures, or support tickets.
Every key must have an owner, tenant, creation timestamp, status, and intended scope.
§ 02
Usage controls
Production APIs require bearer authentication unless the endpoint is explicitly public, documented, and rate-limited.
Keys should be scoped to the minimum privileges required and should not be shared across tenants, environments, or unrelated applications.
Rate limits and anomaly checks should be applied to reduce brute-force, scraping, and runaway automation risk.
§ 03
Rotation and revocation
Keys are rotated when an employee leaves, a customer requests rotation, a secret is exposed, provider policy changes, or suspicious usage is detected.
Revocation must invalidate future use and create an audit event containing key id, tenant, actor, reason, and timestamp.
CONTACT
Questions and updates
For support questions, contact ict03@rfems.com. For security reports, contact ict03@rfems.com. For privacy requests, contact ict03@rfems.com.