Access Control Policy

This Access Control Policy ("Policy") establishes the requirements and controls governing access to BigGeo Global Inc.'s systems, networks, data, and infrastructure, with particular focus on protecting personal data in compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the Personal Information Protection and Electronic Documents Act ("PIPEDA"), the Personal Information Protection Act (Alberta) ("PIPA"), and the California Consumer Privacy Act ("CCPA/CPRA").

This Policy directly supports BigGeo's obligations under GDPR Article 32 (security of processing), GDPR Article 5(1)(f) (integrity and confidentiality), and the technical and organisational security measures ("TOMs") referenced in Schedule 3 of BigGeo's Data Processing Agreement ("DPA"). It is a foundational component of BigGeo's Information Security Program.

This Policy applies to:

• All BigGeo employees, contractors, consultants, and third-party personnel ("Users") who access BigGeo systems, networks, or data in any capacity;
• All systems, platforms, applications, APIs, and infrastructure owned, operated, or managed by BigGeo, including the Spatial Cloud platform, MCP connector, marketplace, and internal tooling;
• All categories of data processed by BigGeo, with heightened controls applicable to personal data, EU/EEA personal data processed under a DPA, and any data classified as Confidential or Restricted under BigGeo's data classification framework;
• All third-party sub-processors and vendors with access to BigGeo systems or personal data, who must comply with equivalent access control standards as required under GDPR Article 28 and the applicable DPA.

Access

means any form of interaction with BigGeo systems or data, including read, write, modify, delete, transmit, or execute operations.

Authorised User

means a User who has been granted access rights through the provisioning process set out in this Policy.

DPA

means a Data Processing Agreement executed between BigGeo and a customer or data partner governing the processing of personal data, including EU/EEA personal data under the GDPR.

Least Privilege

means the principle that Users are granted only the minimum level of access rights necessary to perform their specific job functions, and no more.

MFA

means multi-factor authentication, requiring two or more independent verification factors to authenticate a User.

Need-to-Know

means the principle that access to personal data and confidential information is restricted to those Users whose job responsibilities require it for a defined purpose.

Personal Data

has the meaning given in GDPR Article 4(1): any information relating to an identified or identifiable natural person.

Privileged Access

means access rights that exceed standard user permissions, including administrative, root, superuser, or system-level access.

RBAC

means role-based access control, a method of restricting access based on the roles assigned to Users within the organization.

Sub-processor

has the meaning given in the BigGeo DPA: a third party engaged by BigGeo to process personal data on behalf of a customer.

All access to BigGeo systems and data must be governed by the following foundational principles:

4.1 Least Privilege

Users must be granted the minimum access rights necessary to perform their role. Access rights must not be provisioned speculatively or in anticipation of future need.

4.2 Need-to-Know

Access to personal data — and in particular to EU/EEA personal data processed under a DPA — must be limited to Users whose current job function requires that access for a specific, documented purpose consistent with BigGeo's Record of Processing Activities ("ROPA").

4.3 Separation of Duties

No single User should hold access rights that would allow them to independently perform, approve, and audit a sensitive operation involving personal data or financial systems.

4.4 Default Deny

Access to systems and personal data is denied by default. Access is granted only upon successful completion of the provisioning process set out in Section 6.

4.5 Accountability

All access to personal data and sensitive systems must be attributable to an individual User. Shared or generic accounts are prohibited for any system that processes personal data.

4.6 Data Minimisation (GDPR Article 5(1)(c))

Access provisioning must be designed to ensure that Users can only access the minimum categories of personal data necessary for the specific purpose of processing, consistent with the applicable ROPA entry and the terms of any applicable DPA.

BigGeo uses role-based access control as its primary access management mechanism. Access roles must be defined, documented, and approved by the relevant system owner and the Privacy and Security function before provisioning.

5.1 Standard Role Tiers

5.2 Role Assignment

Role assignments must be:

• Requested by the User's manager or team lead via BigGeo's access provisioning process;
• Approved by the system owner and, for Tier 3 and Tier 4 roles, by the Security Lead;
• Documented with the business justification, the specific systems and data categories to be accessed, and the duration of access if time-limited;
• Reviewed at access review intervals as set out in Section 9.

5.3 Prohibited Role Configurations

The following configurations are prohibited:

• A single User holding both Tier 3 and financial approval rights for the same system;
• Any User holding administrative access to both the production environment and the audit log system;
• Generic, shared, or service accounts with Tier 3 or Tier 4 access rights without documented approval and monitoring.

6.1 New User Provisioning

Access rights for new Users must be provisioned as follows:

• The User's manager submits an access request specifying the required systems, data categories, and role tier;
• For any role involving access to personal data (Tier 2 and above), the request must include confirmation that the User has completed BigGeo's data protection and security awareness training;
• Access is provisioned by IT/Security only upon approval by the system owner and, where personal data is involved, confirmation that the access is consistent with the applicable ROPA entry and any applicable DPA;
• Access credentials are issued directly and confidentially to the individual User. Credentials must not be shared.

6.2 Role Changes

When a User changes role within BigGeo:

• Existing access rights inconsistent with the new role must be revoked within five (5) business days of the role change taking effect;
• New access rights must be provisioned through the standard provisioning process;
• The principle of least privilege must be applied at each role transition — access rights do not carry over by default.

6.3 Third-Party and Contractor Access

Third-party personnel, contractors, and sub-processors requiring access to BigGeo systems or personal data must:

• Be provisioned only for the specific systems and data categories required for the contracted work;
• Access personal data only where a valid DPA or equivalent contractual instrument is in place, consistent with GDPR Article 28 and BigGeo's DPA obligations;
• Have their access reviewed at the commencement, midpoint, and conclusion of their engagement;
• Have all access revoked immediately upon termination or expiry of their engagement.

7.1 Multi-Factor Authentication (MFA)

MFA is mandatory for:

• All access to production systems that process or store personal data;
• All remote access to BigGeo's internal network or systems;
• All Tier 3 and Tier 4 privileged access;
• All access to BigGeo's MCP connector management and API key administration interfaces;
• All administrative access to cloud infrastructure, databases, and identity management systems.

MFA must use at least two of the following independent factors: something the User knows (password), something the User has (hardware token, authenticator app), or something the User is (biometric).

7.2 Password Standards

All User passwords must meet the following minimum standards:

• Minimum length of 14 characters;
• Combination of uppercase, lowercase, numeric, and special characters;
• Not reused from any of the User's previous 12 passwords;
• Changed upon any suspected compromise;
• Never shared with any other person under any circumstances.

Password managers are recommended and must be used for Tier 3 and Tier 4 accounts.

7.3 API and Access Key Authentication

API keys and access tokens issued through BigGeo's platform, including those issued to Data Users and Marketplace Customers under the End User Terms of Service, must:

• Be unique per user or integration;
• Be transmitted only over encrypted connections (TLS 1.2 or higher), consistent with BigGeo's DPA Schedule 3 and MCP connector security controls;
• Be rotated on a schedule defined by the system owner and upon any suspected compromise;
• Never be embedded in publicly accessible code repositories, client-side code, or unencrypted configuration files.

7.4 Session Management

All authenticated sessions must:

• Time out automatically after a period of inactivity not exceeding 30 minutes for systems processing personal data;
• Require re-authentication after timeout;
• Be invalidated immediately upon User logout or account suspension.

8.1 Privileged Access Controls

All Tier 3 and Tier 4 privileged access must be subject to the following controls in addition to those set out elsewhere in this Policy:

• Approval by the Security Lead prior to provisioning;
• Just-in-time (JIT) access where technically feasible, limiting the duration of elevated privileges to the specific task requiring them;
• Full audit logging of all privileged sessions, including commands executed and data accessed;
• Prohibition on using privileged accounts for routine, non-administrative tasks.

8.2 Privileged Account Inventory

The Security Lead must maintain a current inventory of all privileged accounts, including:

• The account identity and associated individual User;
• The systems and data categories to which privileged access is granted;
• The business justification for the access;
• The date of last access review.

This inventory must be reviewed quarterly.

9.1 Review Cadence

Access rights for all Users must be formally reviewed at the following intervals:

9.2 Review Process

Each access review must:

• Be conducted by the relevant system owner in coordination with the User's manager;
• Confirm that each User's access rights remain appropriate to their current role and the minimum necessary for their job function;
• Result in revocation of any access rights that are no longer required, excessive, or inconsistent with the User's current role;
• Be documented and the records retained for a minimum of three (3) years, consistent with ROPA009 retention requirements.

9.3 GDPR Consistency Check

For any system that processes EU/EEA personal data under a DPA, access reviews must additionally confirm that:

• Authorised Users accessing EU/EEA personal data are subject to enforceable confidentiality obligations, consistent with GDPR Article 28(3)(b) and BigGeo's DPA Article 3;
• The scope of access remains consistent with the purpose of processing documented in the applicable ROPA entry and DPA Schedule 1;
• No User has been granted access to EU/EEA personal data that exceeds what is described in the applicable DPA.

10.1 Immediate Revocation

Access must be revoked immediately — and in any event within four (4) hours — upon:

• Termination of employment or engagement for any reason;
• Suspension of a User pending investigation of a security or policy breach;
• Suspected or confirmed compromise of a User's credentials;
• A security incident involving the User's account.

10.2 Standard Revocation

Access must be revoked within five (5) business days upon:

• A User changing role where the new role does not require the existing access;
• Expiry of a time-limited access grant;
• Completion of a third-party or contractor engagement;
• A formal access review determination that the access is no longer required.

10.3 Data Implications of Revocation

Upon revocation of a User's access:

• All active sessions for the revoked account must be invalidated;
• API keys and access tokens associated with the account must be revoked and invalidated;
• Any personal data downloaded, exported, or copied by the User in the performance of their role remains subject to BigGeo's confidentiality and data protection obligations, and the User must be reminded of their post-termination confidentiality obligations under their employment or engagement agreement.

11.1 EU/EEA Personal Data — Restricted Access

Access to EU/EEA personal data processed by BigGeo under a DPA is subject to the following additional controls, consistent with GDPR Article 32 and BigGeo's DPA Article 8:

• Access is restricted to the minimum number of authorised personnel necessary to fulfil the specific processing purpose documented in the ROPA and the applicable DPA;
• All access to EU/EEA personal data must be logged, and logs must be retained for a minimum of three (3) years;
• Personnel with access to EU/EEA personal data must have completed GDPR-specific data protection training and be subject to documented confidentiality obligations;
• Any request to expand the scope of access to EU/EEA personal data beyond what is specified in the applicable DPA must be escalated to the Privacy function and, where required, to the customer as data controller, before access is granted.

11.2 Data Subject Rights Requests

Access to personal data for the purpose of fulfilling data subject rights requests under GDPR Articles 15–22 must be:

• Initiated only by the Privacy function or a designated Data Subject Rights team member;
• Documented in BigGeo's data subject rights request log (ROPA009);
• Completed and the relevant access closed within the timeframes required by the applicable DPA and GDPR.

11.3 EU Representative and DPO

Where BigGeo has appointed an EU Representative under GDPR Article 27 and/or a Data Protection Officer, those individuals must have access to BigGeo's ROPA, this Policy, the applicable DPAs, and all records necessary to fulfil their statutory functions. Their access must be reviewed annually.

12.1 Logging Requirements

All systems processing personal data must generate and retain audit logs capturing:

• User identity and authentication events (login, logout, failed authentication attempts);
• Access to and operations performed on personal data (read, write, modify, delete, export);
• Privileged access events, including commands executed;
• API access events, including the API key used, the endpoint accessed, and the data categories returned;
• Administrative changes to access rights, role assignments, and system configurations.

12.2 Log Retention

Audit logs must be retained for a minimum of three (3) years, consistent with ROPA009 and BigGeo's legal compliance obligations under GDPR Article 5(2) (accountability principle). Logs must be stored in a manner that prevents unauthorized alteration or deletion.

12.3 Monitoring and Anomaly Detection

BigGeo must implement monitoring of access logs to detect:

• Unusual access patterns, including access outside normal working hours or from unexpected locations;
• Bulk or mass export of personal data;
• Multiple failed authentication attempts indicative of a brute-force attack;
• Access to personal data by Users whose access rights have been revoked or modified.

Detected anomalies must be investigated and, where they constitute or indicate a personal data breach, escalated in accordance with BigGeo's Incident Response Policy and the breach notification obligations under GDPR Article 33 and the applicable DPA (24-hour customer notification commitment).

13.1 Sub-Processor Controls

Sub-processors approved under BigGeo's DPA (Schedule 2 — Subprocessor List) and granted access to BigGeo systems or personal data must:

• Be subject to contractual obligations providing equivalent data protection guarantees to those in BigGeo's DPA, consistent with GDPR Article 28(4);
• Access personal data only to the extent necessary for the contracted sub-processing purpose;
• Be subject to access reviews at the intervals set out in Section 9.1.

13.2 International Transfers

Where a sub-processor or third-party vendor is located outside Canada and processes EU/EEA personal data, access by that party must be subject to a valid international transfer mechanism, including Standard Contractual Clauses (SCCs, EU 2021/914 Module 2) or an applicable adequacy decision, consistent with BigGeo's DPA and the ROPA. For clarity, access by Anthropic PBC in connection with BigGeo's MCP connector is subject to SCCs (EU 2021/914, Module 2, Controller to Processor), contingent on execution of a valid DPA with Anthropic PBC as noted in ROPA006.

All Users with access to personal data must complete the following training before access is provisioned and at least annually thereafter:

• BigGeo's data protection and privacy awareness training, covering GDPR principles, data subject rights, and reporting obligations;
• BigGeo's information security awareness training, covering password security, phishing, incident reporting, and acceptable use;
• Role-specific training for any User with Tier 3 or Tier 4 access, covering privileged access responsibilities and secure handling of production data.

Completion of required training must be documented and confirmed as part of the access provisioning process.

Violations of this Policy may result in disciplinary action up to and including termination of employment or engagement, and may constitute a breach of the applicable DPA and/or applicable data protection law. Violations involving personal data may trigger breach notification obligations under GDPR Articles 33–34.

Users must report suspected or actual violations of this Policy immediately to security@biggeo.com and privacy@biggeo.com.

This Policy must be reviewed and updated:

• At least annually;
• Following any material change to BigGeo's systems, processing activities, or sub-processor arrangements that affects access control requirements;
• Following any personal data breach or security incident that reveals a gap in access controls;
• Upon any material change to applicable data protection law or regulatory guidance affecting BigGeo's access control obligations.

All updates must be version-controlled. The version history is maintained by the Security Lead.

This Policy should be read in conjunction with the following BigGeo documents:

• Acceptable Use Policy
• Data Processing Agreement (and Schedule 3 — Technical and Organisational Security Measures)
• Record of Processing Activities (ROPA)
• Privacy Policy (biggeo.com/legal/privacy-policy)
• End User Terms of Service
• Master Services Agreement
• Incident Response Policy
• Information Security Policy

Policy Owner: Security Lead, BigGeo Global Inc.   Privacy Oversight: privacy@biggeo.com   Security Incidents: security@biggeo.com

Registered Address: Suite 200, 1215 1 Street SW, Calgary, AB T2R 0V3