Customer Deliverable Development and Review Policy

Classification: Internal
Document status: Effective
Version: 1.0
Owner: Management / Security Owner
Effective date: 2026-05-13
Review cycle: Annual; interim revision upon material change to delivery artifacts or customer sectors

---

Purpose

This policy governs how technical deliverables are produced, reviewed, and transferred to customers.

Scope

This policy applies to Terraform, Terragrunt, AWS CDK, CloudFormation, scripts, application source, configuration, documentation, and other technical artifacts delivered under customer statements of work.

Policy

Deliverables are produced only within agreed scope. Each deliverable is reviewed for functional correctness, security, customer separation, and absence of embedded secrets before release to the customer environment.

Process

1. Work occurs in engagement-specific or customer-approved repositories and branches.
2. Changes merge only after documented peer review (for example pull request approval).
3. Dependency and static analysis tooling, including Dependabot and Snyk where applicable, supports pre-delivery review.
4. Secrets, credentials, tokens, and non-public customer data are excluded from deliverable packages and repositories.
5. Release to the customer uses approved channels: protected branches, artifacts, customer ticketing, or contract-defined handover.

Records

Typical evidence includes merge approvals, scan summaries, release tags, delivery tickets, and customer acceptance where recorded.