Skip to content

Customer Deliverable Development and Review Policy

Classification: Internal
Document status: Effective
Version: 1.2
Owner: Management / Security Owner
Review cycle: Annual; interim revision upon material change to delivery artifacts or customer sectors


Document control

Role Name
Prepared by Management / Security Owner (Cloudnaut)
Reviewed by Nidhi Jain (third-party reviewer)
Approved by Sandeep AC

Revision history

Version Date Summary Reviewed by Approved by
0.9 2021-03-14 Draft for third-party review prior to first effective release. Nidhi Jain (third party)
1.0 2021-06-18 Initial effective release. Nidhi Jain (third party) Sandeep AC
1.0 2024-03-11 Scheduled annual review; clarifications and cross-references (retained at version 1.0). Nidhi Jain (third party) Sandeep AC
1.1 2026-05-19 Protected branches, pre-deployment secure-configuration verification; SSDLC alignment. Nidhi Jain (third party) Sandeep AC
1.2 2026-05-19 Mandatory branch protection and CI/CD scan gates on engagement repositories. Nidhi Jain (third party) Sandeep AC

Purpose

This policy governs how technical deliverables are produced, reviewed, and transferred to customers.

Scope

This policy applies to Terraform, Terragrunt, AWS CDK, CloudFormation, scripts, application source, configuration, documentation, and other technical artifacts delivered under customer statements of work.

Policy

Deliverables are produced only within agreed scope. Each deliverable is reviewed for functional correctness, security, customer separation, and absence of embedded secrets before release to the customer environment.

Process

  1. Work occurs in engagement-specific or customer-approved repositories and branches.
  2. Branch protection on default and release branches is required on engagement repositories Cloudnaut provisions or maintains; changes merge only through pull request with documented peer review (minimum one approval) per the Secure Software Development Lifecycle Policy.
  3. Continuous SAST and SCA (Dependabot, Snyk, Sonar—see the Code Security Scanning Policy) runs in CI/CD on every pull request; quality gates block merge on configured critical findings until remediation or written customer-approved exception.
  4. Pre-deployment verification confirms secure configuration and alignment with AWS Well-Architected Security pillar checklist themes (and engagement baselines) for IaC and cloud deliverables before production or customer handover—see Pre-deployment security assessment and secure configuration in the Secure SDLC policy.
  5. Secrets, credentials, tokens, and non-public customer data are excluded from deliverable packages and repositories.
  6. Release to the customer uses approved channels: protected branches, artifacts, customer ticketing, or contract-defined handover.

Records

Typical evidence includes merge approvals, branch-protection settings, CI scan summaries, pre-deployment checklist notes, release tags, delivery tickets, and customer acceptance where recorded.