Skip to main content

CC2.3 — External communications (customers, vendors, regulators)

Status: Partially implemented (DPDP §5 notice templates landed; regulator-log file seeded by week 2) Owner: Agent #38 (Senior Compliance Lead, SOC 2 + ISO 27001) Last reviewed: 2026-05-28 Next review: 2026-08-28

Trust Services Criteria reference

The entity communicates with external parties regarding matters affecting the functioning of internal control. This includes customer-facing notices, vendor security expectations, regulator notifications (breach reporting, statutory filings), and the appropriate channels for inbound external communications (e.g. a published security contact, a privacy-officer mailbox).

How ZeroAuth meets this control

External communications are framework-specific and channel-typed. The compliance roadmap §2 ("Frameworks tracked") enumerates the regulator interfaces per framework: DPDP Act 2023 → Data Protection Board of India (DPB), with the first statutory filing under §17 (DPO appointment + processor disclosures) targeted for week 13; RBI MD on IT Governance → indirect through partner banks, with docs/compliance/rbi/inspection-readiness-checklist.md as the artefact handed over; RBI Digital Lending + DPS Controls + KYC MDs → also indirect with mapping documents per framework; SOC 2 + ISO 27001 → audit firms with named lead auditors and named relationship cadence; RBI Regulatory Sandbox → RBI FinTech Department with a one-shot application window in weeks 35–39.

DPDP §5 (notice to data principals) compliance is structured in docs/compliance/privacy/data-inventory-v1.md and docs/compliance/privacy/pia-template-v0.md. Every personal-data flow has a stated purpose, lawful basis, retention window, and a tagged data-principal communication path. The docs/compliance/dpdp-2t-commitments-memo-v0.md ("commitment hashes and DIDs are not personal data") is the first counsel-facing artefact; a v1 lands after the week 4 DPDP-counsel call, per compliance-roadmap-v1.md D-Q1-05.

Customer-facing communications are mediated through three published surfaces: the docs site at https://docs.zeroauth.dev/ (Docusaurus), the marketing site at https://zeroauth.dev/, and the in-product copy in dashboard/. The docs site is the source of truth for the API contract (docs/api_contract.md), error codes (docs/error_codes.md), and the architecture decision trail. The marketing site is the controlled-claims surface — the language rules in CLAUDE.md ("AI-powered" banned, "deepfake-immune" only with the visual-spoofing-class qualifier, "production stack" replaced with "live reference implementation", "Dr. Pulkit" replaced with "Senior Software Engineer") prevent overstated security claims escaping into external messaging.

Vendor security expectations are codified through the DPA process. The compliance roadmap §1.3 lists the three cross-border processors with a DPA on file (GitHub, Sentry, Cloudflare). §6 names the in-flight external vendor relationships with SoW + deliverables + cost envelope + conflict-of-interest check per vendor — DPDP counsel (§6.1), external cryptographer (§6.2), SOC 2 auditor (§6.3), ISO 27001 lead auditor (§6.4), smart-contract audit firm (§6.5), RBI counsel (§6.6), bug-bounty platform (§6.7), evidence-collector tool vendor (§6.8). Each vendor relationship is owned by a named agent.

Inbound external security communications are routed through SECURITY.md at the repository root. This document is the GitHub-recognised security-policy file and gives an external researcher a single inbox to report a vulnerability into. The bug-bounty programme (target week 27 launch, per compliance-roadmap-v1.md D-Q3-03) layers a formal, scoped channel on top of SECURITY.md.

Regulator notification SLAs are explicit. DPDP §8 mandates 72-hour breach notification; the SOP for that lands as docs/compliance/dpdp/breach-notification-playbook.md (target week 6 per the DPDP-counsel SoW). The first tabletop exercise is scheduled for week 33. Production sev-1 incidents are governed by the on-call escalation in 06-ways-of-working.md "Escalation" — 15-minute pageable to Role 1 — and feed the breach playbook downstream.

Evidence references

  • docs/compliance/compliance-roadmap-v1.md §2 — framework-by-framework regulator interface.
  • docs/compliance/compliance-roadmap-v1.md §1.3 — cross-border processor DPA list.
  • docs/compliance/compliance-roadmap-v1.md §6 — eight external vendor / counsel relationships with named owners.
  • docs/compliance/dpdp-2t-commitments-memo-v0.md — DPDP §2(t) commitments memo skeleton.
  • docs/compliance/privacy/data-inventory-v1.md — data inventory for §5 notice generation.
  • docs/compliance/privacy/pia-template-v0.md — PIA template.
  • SECURITY.md (repository root) — inbound vulnerability-report channel.
  • docs/api_contract.md and docs/error_codes.md — published source of truth for customer-developer comms.
  • Commit e165569 — privacy docs (data inventory v1 + PIA template + retention policy v0) landed.
  • ADR 0011-branching-workflow.md (commit 51bc705) — controls external-facing commit hygiene.

Open gaps + remediation roadmap

  • docs/compliance/regulator-log.md seeded with first entry — DPDP-counsel kickoff (week 2, 2026-06-05). Owner: Agent #37 (DPDP lead).
  • DPDP §8 breach-notification playbook v1 — target week 6 (2026-07-06), per compliance-roadmap-v1.md §6.1 SoW. First tabletop exercise week 33.
  • Customer-facing breach communication template — separate from regulator filing; required for DPDP + SOC 2 CC7.5. Target week 13 (2026-08-17).
  • Per-tenant data-processing agreement template — referenced in compliance roadmap §2.5 (KYC MD) and §1.3; lands as docs/legal/dpa-template-v1.md by Phase 1 exit (week 12).

Test or audit query

Auditor verifies that SECURITY.md exists at the repo root and is referenced from README.md; then opens docs/compliance/regulator-log.md and confirms at least one append-only row exists (post-week-2). Then grep -rEn "AI-powered|deepfake-immune|production stack|Dr\\. Pulkit" docs/ src/ dashboard/ public/ should return zero matches for any banned phrase.