Change Management Policy – SOC 2 Edition

1. Purpose

To ensure that changes to Clerk.io production systems are authorised, tested and documented, reducing risk of unintended service disruption or security impact.

2. Scope

Applies to code, infrastructure-as-code, configuration, schema migrations, and third-party service changes that could affect the confidentiality, integrity, availability, or privacy of customer data.

3. Process

1. Proposal – Engineer opens GitHub Pull Request (PR) referencing Jira ticket.
2. Automated Testing – CI pipeline executes unit, integration, SCA and SAST scans; PR must pass.
3. Peer Review – Minimum 1 approver with appropriate domain knowledge.
4. Security Review – Changes touching auth, crypto, or PII flagged for Security Champ review.
5. Approval – Merge triggers Terraform Plan and requires SRE sign-off for infra changes.
6. Deployment – Continuous Deployment auto-rolls to staging ⇒ canary ⇒ prod with automated rollback on failed health checks.
7. Post-Deployment Verification – Monitoring dashboards and Slack bot confirm KPIs within tolerance.
8. Documentation – Merged PR auto-syncs CHANGELOG, and incident docs if applicable.

4. Emergency Changes

Allowed when SLA/customer impact dictates. Steps: * Better Stack Incident Commander grants emergency-change label. * Change logged retrospectively within 24 h. * Post-mortem held within 5 days.

5. Segregation of Duties

No individual may both approve and deploy a change to production unilaterally. CI enforces this via branch protection rules.

6. Evidence & Metrics

• Change tickets & PRs stored in GitHub; immutable.
• Deployment logs retained 1 year.
• Monthly metric: # of production incidents caused by change (<3%).

See Controls Matrix entry CM-01 for evidence mapping.

Evidence ID: CM-01 (refer Controls Matrix).

Version 1.0