Compliance

Evidence index

This index ties the public compliance surface back to the repository-backed evidence documents.

Repository-backed evidence surface

Each entry below maps a public page to its underlying source-of-truth markdown, plus the owner and whether the status can be verified from the repo alone.

Release Gate Checklist

Canonical checklist for security, reliability, product, compliance, and rollout gates.

Owner: Engineering + Platform

Source doc: docs/compliance/release-gate-checklist.md

Repo verifiedOpen page

Monitoring and Alerting

SLOs, alert routing, escalation timing, and game-day evidence.

Owner: Operations

Source doc: docs/compliance/monitoring.md

Repo verifiedOpen page

Secrets and Access Governance

Secret rotation expectations, masked diagnostics, and least-privilege review evidence.

Owner: Security

Source doc: docs/compliance/secret-management.md

Repo verifiedOpen page

Vendor and Transfer Register

Subprocessors, regions, transfer scope, and data-handling notes.

Owner: Legal + Security

Source doc: docs/compliance/vendor-register.md

Repo verifiedOpen page

Retention and Processing

Deletion timelines, processing categories, and lifecycle handling for operational records.

Owner: Product + Compliance

Source doc: docs/compliance/retention-policy.md

Repo verifiedOpen page

External Approval Tracker

Named owners and dated approvals still required before production cutover can be claimed.

Owner: Product + Engineering + Ops + Legal

Source doc: docs/compliance/external-approval-tracker.md

External approval neededOpen page

Gate scoreboard

Security gate

Ready

Tenant isolation, auth/session hardening, internal token enforcement, and vulnerability evidence are checked in and guarded.

Reliability gate

Ready

Queue recovery, mail replay, subscription drift repair, backup/restore drill evidence, and migration smokes are recorded.

Product gate

Ready

Core flows, dashboard UX, evidence timeline, report-to-action loop, and authenticated pilot smoke are covered.

Compliance gate

Open

Repo-owned controls and evidence are ready, but legal/compliance approval still requires named external owners and dated signoff.

Rollout gate

Open

Feature flags, rollback criteria, and on-call docs are ready; production cutover approval still depends on external owner signoff.

External approvals still open

These are intentionally visible here so product, engineering, operations, and legal/compliance handoff work is not hidden behind repo-complete code.

Closure rule: owner + evidence + status + date

Product pilot signoff

pending

Owner: TBD

Evidence: Pilot notes and exported decision report bundle

Target date: TBD

Engineering rollout approval

pending

Owner: TBD

Evidence: Staging validation bundle and rollback criteria

Target date: TBD

Operations rollout window

pending

Owner: TBD

Evidence: On-call plan, monitoring proof, and backup evidence

Target date: TBD

Legal/compliance approval

pending

Owner: TBD

Evidence: Legal signoff record plus DPIA/DPA/subprocessor review

Target date: TBD