Skip to main content

CC1.4 — Commitment to attract, develop, and retain competent individuals

Status: Partially implemented (hiring rubrics drafted; first formal training programme target week 22) Owner: Agent #38 (Senior Compliance Lead, SOC 2 + ISO 27001) Last reviewed: 2026-05-28 Next review: 2026-08-28

Trust Services Criteria reference

The entity demonstrates a commitment to attract, develop, and retain competent individuals in alignment with its objectives. The control covers job descriptions tied to competencies, the hiring process, ongoing training, performance evaluation, and remediation when competence gaps appear.

How ZeroAuth meets this control

Competency requirements per role are encoded in docs/plan/bfsi-v1/03-team.md. Every one of the 50 numbered slots carries a title, a function summary, and a KPI block. The KPI block doubles as the role-level competency bar.

Examples:

  • Role 26 "Senior Security Engineer" has a KPI of "0 P0 audit findings open ≥ 14 days".
  • Role 27 "Lead Cryptographer" has "External cryptographer sign-off on circuit v1.2".
  • Role 6 "Senior Backend Engineer (verifier)" has "0 verifier-path PRs merged without cryptographer-reviewer APPROVE".
  • Role 8 "Senior Backend Engineer (audit)" has "Per-tenant audit chain integrity check returns PASS for all production tenants".

Day-level expectations are then spelled out per role in docs/plan/bfsi-v1/agents/agent-<NN>-*.md. For an auditor this means the question "what does competent look like for the SOC 2 lead?" has a written answer: A38-W1-Mon through A38-W4-Fri (agents/agent-38-compliance-soc2.md).

Hiring discipline is process-led. The roster in 03-team.md is sequenced — engineering line VPs (roles 1–5) and the load-bearing P0 close-out roles (roles 6, 8, 26, 27, 36) are hired or contracted first. The GTM ramp (roles 42–49) follows once the Phase 1 demo is reliably running.

The compliance roadmap D-Q1-02 (week 1) commits to publishing the SOC 2 + ISO + DPDP external counsel and auditor shortlists, which are the gating contracted-talent decisions. The week-4 deadline (D-Q1-07, D-Q1-08, D-Q1-05) for engagement-letter signature means the senior external relationships are all locked before the SOC 2 evidence period opens.

Competence is reinforced through pair-review at the technical boundary. Every change to a sensitive path (auth, crypto, audit, tenant boundaries — see 06-ways-of-working.md "Sub-agent rules") triggers the security-reviewer or cryptographer-reviewer sub-agent. The sub-agent acts as the second pair of eyes that catches competence gaps in the moment. A reviewer that posts REQUEST_CHANGES blocks the merge until the author has addressed the gap, and a 24-hour SLA escalation to Agent #1 is in the escalation matrix.

The Phase 0 audit-finding closure trail is the team's first delivered evidence of competence under pressure. 5 P0 findings closed in 2 weeks (C-1, C-3, C-7, C-4, C-8 — see docs/security/audit-findings.md), each with a closing commit, each with a regression test. The trail is reviewed in the Phase 0 exit gate (week 2) and feeds back into the per-role year-end performance evaluation. Commits 02e1734, ee6aad4, e98d158, a475ed8, c09c081 are the concrete artefacts behind that evidence claim.

Formal training programmes are the gap. Week 22 (2026-10-12) is the target for the first round of SOC 2 + ISO 27001 awareness training, aligned with the SOC 2 Type I observation cutoff. DPDP §8 + §17 awareness training lands week 13 (alongside the DPO filing). The trusted-setup ceremony (week 10, D-Q2-14) doubles as a hands-on competence-building exercise for the cryptography line (Agents #11, #12, #13, #27).

Retention discipline is operations-led. The cost / spend review on the last Friday of every month (per 06-ways-of-working.md "Monthly cadence") includes a "people" line where Agent #50 reports headcount + turnover + remediation plans. The first such review at the end of Phase 0 (week 2) sets the baseline.

Evidence references

  • docs/plan/bfsi-v1/03-team.md — 50-role roster with title + function + KPI block per role.
  • docs/plan/bfsi-v1/05-agents.md — week-by-week tickets per role.
  • docs/plan/bfsi-v1/agents/ — 50 per-role daily ticket files; each opens with reports-to + mandate.
  • docs/compliance/compliance-roadmap-v1.md §6 (vendor & counsel calendar) — sequence + week of external talent contracting.
  • docs/security/audit-findings.md — Phase 0 trail of closure as competence-demonstration evidence.
  • ADR 0011-branching-workflow.md (commit 51bc705) — sub-agent review gate that backstops competence at the technical boundary.
  • .claude/agents/security-reviewer.md, .claude/agents/cryptographer-reviewer.md — encoded second-pair-of-eyes.

Open gaps + remediation roadmap

  • SOC 2 + ISO awareness training (50 agents) — first cycle target week 22 (2026-10-12) per compliance-roadmap-v1.md §3.2. Owner: Agent #38, with Agent #36 sign-off.
  • DPDP §8 + §17 awareness training — target week 13 (2026-08-17), bundled with the §17 filing prep.
  • Annual performance evaluation cycle — first cycle target week 26 (2026-11-09); evaluation rubric maps to the KPI blocks in 03-team.md.
  • Role-specific runbooks — Agent #36 + #38 to publish "what an auditor will ask you" prep notes by week 14 (2026-08-24).

Test or audit query

ls docs/plan/bfsi-v1/agents/ | wc -l returns 50; for each file, head -10 <file> should contain "Reports to:" and a "KPIs" reference. The audit-findings doc shows 5 of 5 P0 findings closed within Phase 0 — proves the team can close on a deadline.