Skip to main content

CC2.2 — Internal communications channels

Status: Partially implemented (status posts + commit trail live; central comms tool target Phase 1) Owner: Agent #38 (Senior Compliance Lead, SOC 2 + ISO 27001) Last reviewed: 2026-05-28 Next review: 2026-08-28

Trust Services Criteria reference

The entity internally communicates information, including objectives and responsibilities, necessary to support the functioning of internal control. The control covers the channels through which management speaks to staff, the channels through which staff speak to management, the cadence of those communications, and the documentation of material decisions.

How ZeroAuth meets this control

Internal communications are channel-typed and cadence-fixed. The complete map lives in docs/plan/bfsi-v1/06-ways-of-working.md:

  • Daily 09:30 IST engineering standup — 15 minutes, all engineering agents, output is blockers + plan for the day.
  • Daily 10:00 IST sub-agent review-queue check — roles 26, 27 (security + crypto reviewers) clear the PR-review backlog.
  • Mon/Wed/Fri 14:00 mobile sync — roles 4, 17, 18, 19 sync on device-fleet state + prover progress.
  • Tue/Thu 16:00 backend + crypto sync — roles 2, 6, 7, 8, 11, 12, 13 sync on audit-chain progress + prover spec.
  • Friday 18:00 status posts — all 50 agents file a four-line status; line VPs and the founder read all of them.
  • Mon AM weekly — sprint planning or mid-sprint progress review (Role 1 + VPs).
  • Wed PM weekly — cross-line architecture sync (Role 1 + VPs).
  • Monthly 1st — phase progress review with Role 1 + Role 28 + Role 36 + Role 42.
  • Monthly 15th — risk register review with Role 40.
  • Monthly last Friday — cost / spend review with Role 50.

The escalation matrix in the same document gives staff-to-management an enforced path: engineering technical blocker → line VP same day; security or crypto open question → roles 26, 27 same day; compliance or regulator question → role 36 same day; customer escalation → role 42 → role 46 within 4 h; severity-1 production incident → roles 5, 21, 26 → role 1 pageable within 15 min; sub-agent REQUEST_CHANGES not addressed → role 1 within 24 h; phase-exit-gate at risk → role 1 + line VPs 1 week before gate.

Asynchronous channels exist alongside the synchronous cadence. The commit history (git log) is the always-on "what did people do today" log; commit subjects carry the pain-point or audit-finding ID, so an auditor can recover the decision trail without attending a meeting. The Phase 0 audit-finding closure trail demonstrates this — commits 02e1734, ee6aad4, e98d158, a475ed8, d634b2d, c09c081 together close 5 P0 findings, each with a body that explains the why.

Material decisions are captured in ADRs under /adr/. The directory has 16 entries today (0000-grandfather-initial-deps.md through 0016-zod-input-validation.md landed 2026-05-26). Every architecturally consequential decision is supposed to land an ADR before the implementation merges — see the "Documentation hygiene" rule in 06-ways-of-working.md. ADR 0011 (commit 51bc705) is the load-bearing decision for branch hygiene; ADR 0013 (commit 27ed93c) for the audit hash chain; ADR 0015 (commit 27ed93c) for circuit-version pinning; ADR 0016 (commit 76f8d4e) for the zod input-validation layer.

The compliance-specific channels are documented in compliance-roadmap-v1.md. §8.2 mandates the regulator-interaction log at docs/compliance/regulator-log.md (append-only, every interaction with RBI / DPB / an auditor representing a regulated bank is captured). §8.1 mandates the quarterly compliance retrospective. The Phase 0 retrospective (week 14) is the first signed-off communication artefact.

A centralised real-time chat tool (Slack-class) is the gap. Today the team communicates via the standup + commit + ADR trail; for in-the-moment coordination an async + meeting cadence suffices for the 50-agent footprint, but Phase 1 hiring will push past the threshold where this works.

Evidence references

  • docs/plan/bfsi-v1/06-ways-of-working.md "Daily cadence", "Weekly cadence", "Monthly cadence" — the channel + cadence inventory.
  • docs/plan/bfsi-v1/06-ways-of-working.md "Escalation" — the staff-to-management path.
  • /adr/ directory — 17 ADRs (0000–0016), each a material-decision record.
  • Commit 51bc705 — ADR 0011 — load-bearing branch-workflow decision.
  • Commit 27ed93c — ADRs 0013, 0014, 0015 — audit chain + on-chain anchor + circuit pin.
  • Commit 76f8d4e — ADR 0016 — zod input validation.
  • docs/compliance/compliance-roadmap-v1.md §8.1, §8.2 — quarterly retro + regulator-log requirements.
  • docs/security/audit-findings.md — published comms artefact of "what's open, what's closed".

Open gaps + remediation roadmap

  • Real-time chat tool selection (Slack / Mattermost / Element) — target Phase 1 week 6 (2026-07-06); R-COMP-04 (customer-touchpoint communications) needs a live channel by Phase 1 pilot kickoff.
  • Regulator-log filedocs/compliance/regulator-log.md is named in the roadmap but not yet seeded; first row (DPDP counsel kickoff) target week 2 (2026-06-05).
  • Internal communications policy — written rules for confidentiality, retention, recall. Target week 22 (2026-10-12).

Test or audit query

Auditor reads docs/plan/bfsi-v1/06-ways-of-working.md "Daily cadence" + "Escalation" sections, then asks for the last 14 days of Friday status posts (target archive location: docs/plan/bfsi-v1/status/<YYYY-WW>.md once the format is standardised week 14).