Skip to main content

CC5.3 — Deployment of policies and procedures

Status: Partially implemented (engineering policy live in CLAUDE.md + 06-ways-of-working.md; compliance procedure docs roll out per roadmap) Owner: Agent #38 (Senior Compliance Lead, SOC 2 + ISO 27001) Last reviewed: 2026-05-28 Next review: 2026-08-28

Trust Services Criteria reference

The entity deploys control activities through policies that establish what is expected and procedures that put policies into action. The control covers the documented policy set, the procedure-level operational guidance, the enforcement mechanism (technical or process), and the periodic review cycle for both.

How ZeroAuth meets this control

The policy-and-procedure surface is partitioned and linked.

Engineering policy. CLAUDE.md is the engineering constitution: non-goals, stack rules, critical-language rules, standing-instructions block (10 rules covering API contract reading, test-before-implementation, plan mode, sub-agent invocation, dep-add ADR, threat-model updates, deploy discipline, secrets handling, when-you-get-stuck). The companion docs/plan/bfsi-v1/06-ways-of-working.md is the procedure-level operational guidance: branch policy, commit-time gates (7 enumerated automated checks), sub-agent rules (path-to-reviewer authority map), plan-mode trigger list, Definition of Ready, three-altitude Definition of Done (per commit / per sprint / per release), daily / weekly / monthly cadences, escalation matrix, documentation hygiene, and "when the plan is wrong".

Compliance policy. docs/compliance/compliance-roadmap-v1.md is the 12-month forward plan. §2 enumerates 9 frameworks tracked. §3 lays out quarterly milestones. §4 lists 60 named deliverables across the year with owner + target week + dependency per row. §5 is the 52-row audit-calendar grid. §6 names 8 external counsel + vendor relationships with SoW + deliverables + cost + conflict-of-interest. §7 catalogues 8 named compliance risks. §8 defines the document-hygiene cycle (quarterly retrospectives, regulator-interaction log, evidence-pack rotation, link-check). The roadmap LAST_UPDATED line tracks revision; the in-text §8.4 mandates a quarterly cadence and ad-hoc updates via plan-change-proposal.

Privacy policy + procedure. docs/compliance/privacy/data-inventory-v1.md, docs/compliance/privacy/pia-template-v0.md, and docs/compliance/privacy/data-retention-policy-v0.md (all landed in commit e165569) form the v1 privacy baseline. docs/compliance/dpdp-2t-commitments-memo-v0.md (landed commit 416eaab) is the §2(t) classification skeleton. Counsel-reviewed v1 lands week 6, per compliance-roadmap-v1.md §6.1.

Operational procedure. docs/operations/anchor-bank-demo-runbook.md (commit 8b72f5f) is the scene-by-scene operator script for the Phase 1 bank demo. docs/operations/admin-dashboard.md, docs/operations/central-api-delivery-plan.md, docs/operations/deployment.md, docs/operations/env-vars.md, docs/operations/demo-runbook.md, docs/operations/device-support-matrix.md cover the day-2 operations.

Cryptography procedure. docs/cryptography/trusted-setup-ceremony.md (commit bb682f3) is the multi-party ceremony runbook for the v1.2 circuit. ADR 0015 (commit 27ed93c) defines the version-bump procedure with no shortcuts allowed (ADR → ceremony → artefacts → verifier redeploy → constants update → sub-agent approve → external cryptographer attestation).

Security procedure. SECURITY.md (repository root) is the inbound vulnerability-report channel. The bug-bounty disclosure policy lands docs/security/bug-bounty-disclosure-policy.md in Phase 3 week 27 alongside the programme launch.

Enforcement is split between technical and process layers. Technical: the pre-commit hook + CI mirror enforce 06-ways-of-working.md commit-time gates. ADR 0011 (commit 51bc705) makes branch protection non-bypassable. The boot-time vkey check (commit e98d158) makes ADR 0015 non-bypassable. The appendAuditEvent-only-write grep test (commit c09c081) makes ADR 0013 non-bypassable. Process: the sub-agent review (security-reviewer, cryptographer-reviewer) is the second-layer enforcement that catches what technical gates cannot. The escalation matrix is the third layer.

Periodic review is on the cadence. 06-ways-of-working.md "Monthly cadence" specifies the 1st-of-month phase progress review, the 15th-of-month risk-register review, and the last-Friday cost / spend review. compliance-roadmap-v1.md §8.4 mandates quarterly updates of the roadmap. The threat-model + audit-findings docs are updated on every closure (the closed-loop rule).

Evidence references

  • CLAUDE.md (repository root) — engineering constitution.
  • docs/plan/bfsi-v1/06-ways-of-working.md — operational procedures.
  • docs/compliance/compliance-roadmap-v1.md — 12-month compliance policy.
  • docs/compliance/privacy/data-inventory-v1.md + pia-template-v0.md + data-retention-policy-v0.md — privacy policy artefacts.
  • docs/compliance/dpdp-2t-commitments-memo-v0.md — DPDP classification policy.
  • docs/operations/anchor-bank-demo-runbook.md — operational procedure for the bank demo.
  • docs/cryptography/trusted-setup-ceremony.md — cryptography procedure.
  • SECURITY.md (repository root) — security policy.
  • ADRs 0011 + 0013 + 0014 + 0015 + 0016 — decision-records that constrain procedure-design.
  • Commit e165569 — privacy docs landed.
  • Commit 8b72f5f — bank demo runbook landed.
  • Commit bb682f3 — trusted-setup ceremony runbook landed.
  • Commit 416eaab — DPDP §2(t) memo skeleton landed.

Open gaps + remediation roadmap

  • JWT key rotation playbookdocs/operations/jwt-key-rotation-playbook.md is named in docs/security/audit-findings.md C-11 notes; target sprint 2 alongside RS256 migration.
  • Cross-border processor fallback policydocs/compliance/dpdp/cross-border-fallbacks.md, target week 8 (2026-07-20).
  • DPDP §8 breach-notification playbook — target week 6 (2026-07-06), counsel SoW deliverable.
  • Sandbox re-application plandocs/compliance/rbi/sandbox-re-application-plan.md, Phase 3 deliverable.
  • Bug-bounty disclosure policydocs/security/bug-bounty-disclosure-policy.md, Phase 3 week 27.

Test or audit query

ls docs/compliance/ docs/operations/ docs/cryptography/ docs/security/ should show the policy artefacts named above. cat docs/compliance/compliance-roadmap-v1.md | grep LAST_UPDATED confirms the policy is alive. git log --oneline -- CLAUDE.md docs/plan/bfsi-v1/06-ways-of-working.md should show steady-state updates across phases.