SOC2 Documentation — Change Log

Document Version: 1.0
Date: May 26, 2026
Owner: Dominick Pham, CTO
Classification: Internal Use

Purpose

This document tracks all changes to Qwestly's SOC2 compliance documentation. Each entry records what changed, why, and who authorized it. This satisfies SOC2 CC8.1 requirements for change management documentation and provides an audit trail for documentation evolution.

Change Entries

2026-05-26 — API Key Management Policy Created

Change: New policy document created: access-control/API-Key-Management.md

What was added:

API key rotation policy: 90-day rotation for production API keys (including AI provider keys)
Immediate rotation on suspicion of compromise
Procedure for key rotation (generate → verify → replace → redeploy → verify → revoke → log)
Key inventory table (OpenAI, LangSmith, VAPI)
Separation of prod/staging/dev keys
Storage requirements (Vercel env vars, no checked-in .env files)
Testing and validation schedule for key management

Why:

The May 21, 2026 OpenAI key compromise incident revealed a gap — there was no documented rotation policy for API keys
Existing credential policy only covered passwords ("Quarterly password reviews"), not third-party API keys
SOC2 auditors expect documented key/credential management for all production credentials
Needed to explicitly spell out AI provider keys as a distinct category

Authorized by: Dominick Pham, CTO

SOC2 Criteria Addressed: CC6.1, CC6.3, CC6.6, CC7.1

_private/qwestly-private-docs/SOC2/change-management/SOC2-Change-Log.md

SOC2 Documentation — Change Log

Purpose

Change Entries

2026-05-26 — API Key Management Policy Created

[Future entries go above this line — keep newest first]