Identity and Access Management in BPO Operations

Access to client data and systems at Felcorp is governed by a strict identity and access management framework. Every user is provisioned based on their specific role, engagement assignment and operational need. No staff member receives access by default.

This framework applies consistently across both Felcorp's internal platforms and any external client systems accessed as part of service delivery.

Protected User Credentials

All user credentials are managed through a centralised enterprise password management platform. Passwords are never shared directly between staff members, and no employee has visibility over another user's credentials.

The platform enforces secure storage, prevents password reuse and maintains a comprehensive audit log of all credential access and usage. Management retains full visibility over who has accessed which credentials and when, without exposing the credentials themselves.

When a staff member is onboarded to an engagement, credentials are provisioned through the platform rather than shared via email, messaging or any other informal channel. On termination or role change, credential access is revoked immediately.

Multi-Factor Authentication

Access to client systems and Felcorp's internal platforms requires multi-factor authentication where supported. This means a valid password alone is not sufficient to gain entry. A secondary verification step is enforced at the connection level.

This applies to remote access, VPN connections and any external client-facing systems that support MFA configuration. Where a client system does not natively support MFA, Felcorp applies compensating controls at the network and endpoint layer as described under Technology and Endpoint Security.

Access Permissions

Each staff member is granted access based on their assigned engagement and the minimum permissions required to deliver that service. Access is not granted at a team or department level. It is configured per individual, per engagement.

For external client systems, authorised staff hold only the minimum user privileges needed to render efficient services. Non-management staff hold standard access privileges within Felcorp's internal platforms. Management access is limited to company directors, assigned division managers, HR and IT personnel who require oversight for governance, compliance or support purposes.

Access privileges are routinely reviewed to ensure each user holds the least amount of permissions required to perform their role. Where a review identifies permissions that exceed current requirements, access is adjusted immediately. When a staff member changes roles, moves to a different engagement or terminates employment, all access is revoked promptly with no grace period.

In cases where temporary staff substitution is required, the substitute must sign a confidentiality agreement and the client must provide written approval before any access is provisioned. Temporary access follows the same scoping rules and is revoked when the substitution period ends.

Restricted Visibility

Confidential information is shared strictly on a need-to-know basis. Only employees with direct responsibility for a given engagement are permitted to access that engagement's data. Staff working on one client engagement cannot see information belonging to another.

This restricted visibility extends beyond system permissions. Staff are expected to exercise caution when discussing confidential information in any setting, including meetings, email correspondence and phone conversations. Data must not be left visible on unattended screens or printed without express client permission.

For detail on how engagement-level data boundaries are enforced structurally, refer to Client and Engagement-Level Separation.

How This Fits the Security Framework

Identity and access management sits within the Security By Design layer of Felcorp's three-layer security framework. These controls are structural and apply across every engagement before any client-specific configuration is layered on top.

For detail on how access activity is tracked over time, refer to Monitoring and Reporting.