Skip to main content

CC1.1 — Demonstrates commitment to integrity and ethical values

Status: Partially implemented (Phase 0 complete; formal code-of-conduct attestation lands week 13) Owner: Agent #38 (Senior Compliance Lead, SOC 2 + ISO 27001) Last reviewed: 2026-05-28 Next review: 2026-08-28

Trust Services Criteria reference

The entity demonstrates a commitment to integrity and ethical values through standards of conduct, oversight by the board, and processes that signal departures from those standards. The control covers tone-from-the-top, the written code of conduct, the disciplinary process when the code is breached, and the channels through which staff (and third parties) raise concerns without retaliation.

How ZeroAuth meets this control

ZeroAuth's commitment to integrity is anchored in two source-of-truth documents that every contributor — human or AI — is held to.

CLAUDE.md at the repository root carries the engineering constitution. It enumerates the non-goals — "never accept raw biometric data over the wire", "never log biometric-derived raw data", "never expose admin actions without an audit row", "never expose one tenant's data to another", "never deploy a verifier whose circuit version is not in /adr/" — and labels them as enforceable in code review.

The four "Critical language rules" block marketing copy that overstates the cryptographic guarantee. Forbidden phrases (the verifier is cryptography, not AI), unqualified deepfake-immunity claims (visual-spoofing-class at the verification layer is the legitimate scope), and the "production stack" formulation (to be replaced with "live reference implementation") are pre-commit-hook-rejected. These are not advisory. The pre-commit hook and the CI mirror gate check staged diffs for them, and a violating commit is rejected before push and again at the CI ingress.

The companion CODE_OF_CONDUCT.md extends the standard contributor-covenant baseline. It is referenced from README.md and CONTRIBUTING.md. Every onboarding ticket in docs/plan/bfsi-v1/agents/ is expected to start with reading both files plus 06-ways-of-working.md. The plan tree itself — landed in commit 5e3b79d ("land BFSI v1 production plan under docs/plan/bfsi-v1") — codifies that every commit traces to a pain point in 01-pain-points.md and references its ticket ID; this gives an auditor an end-to-end trail from intent ("close P-7 — bank cannot evidence the audit log") to artefact (commit a475ed8 adding the hash chain).

Tone-from-the-top is reinforced through the weekly Friday status post (per 06-ways-of-working.md, "Daily cadence"). Every one of the 50 agents files a four-line status. The founder (Agent #1) and the CCO (Agent #36) read all 50. The cadence makes integrity lapses observable: a status that quietly omits a missed gate, or that obscures a ticket slip, is visible to the leadership trio at the next 18:00 IST Friday read.

A standing-instructions section in CLAUDE.md ("When you (Claude) get stuck") tells contributors what to escalate and where; the escalation matrix in 06-ways-of-working.md "Escalation" makes the same explicit for humans. The matrix names a 4-hour SLA for customer escalations and a pageable 15-minute SLA for production sev-1 incidents — both impossible to honour without an integrity-first culture in the responding role.

The Phase 0 audit findings doc at docs/security/audit-findings.md is the public artefact of "we say what we found and we close it." Every finding has a status, a closing commit hash where applicable, and a target sprint for the open items. Hiding a finding would constitute a code-of-conduct breach. The doc is gated by the same CI as the rest of the repo and any silent deletion of a row is detectable in git log. The Phase 0 closure trail (commits 02e1734, ee6aad4, e98d158, a475ed8, c09c081, a1bbc47, 5425032) is the concrete demonstration that the team holds itself to the finding ledger.

A formal annual code-of-conduct attestation (every agent signs that they have read and will abide by CODE_OF_CONDUCT.md + CLAUDE.md) is the gap remaining. It lands week 13 alongside the DPB §17 DPO appointment filing, per the compliance roadmap D-Q1-19. Until then the implicit attestation is the act of working under the plan tree — agent tickets explicitly reference their role file and the standing constraints.

Evidence references

  • CLAUDE.md (repository root) — engineering constitution, non-goals, language rules, standing instructions.
  • CODE_OF_CONDUCT.md (repository root) — contributor covenant baseline.
  • CONTRIBUTING.md (repository root) — contribution rules.
  • Commit 5e3b79d — "land BFSI v1 production plan under docs/plan/bfsi-v1" — codifies the agent ticket trail.
  • docs/plan/bfsi-v1/06-ways-of-working.md — escalation matrix, Friday cadence, Definition of Done.
  • docs/security/audit-findings.md — Phase 0 findings published with status + closing commit.
  • ADR 0011-branching-workflow.md (commit 51bc705) — branch hygiene that makes status visible.

Open gaps + remediation roadmap

  • Annual code-of-conduct attestation roster — first cycle target week 13 (2026-08-17), per compliance-roadmap-v1.md §3.1. Owner: Agent #38.
  • Whistleblower channel — anonymous reporting inbox separate from line management. Target week 22 (2026-10-12), aligned with ISO 27001 Annex A.5.34 ("Privacy and protection of PII") evidence preparation.
  • Disciplinary policy — formal HR-aligned procedure for code-of-conduct breaches. Target week 22.

Test or audit query

git log --oneline --all | grep -E "land BFSI v1 production plan" confirms the plan landed; auditors then inspect CLAUDE.md, CODE_OF_CONDUCT.md, and the most recent five Friday status posts in docs/plan/bfsi-v1/agents/ for tone-from-the-top evidence.