Production deploy segregation: code review required on main

SOC2.CC5.SEPDUTIES · GLOBAL · operational_security

Severity

high

Cadence

weekly

Region

global

Current status (Apollo Gaming Ltd.)

not evaluated

Requirement

Production deploys originate only from the main branch. The main branch requires a passing CI run plus one reviewer approval (waived while the team is solo-founder; restored automatically at first hire).

Source: AICPA TSC — CC5 Control Activities (segregation of duties)

Evidence specification

Evidence type	Connector	Spec	Acceptance criteria
`infra_config`	`cloud-aws`	{ "resource_type": "github_branch_protection", "branch": "main", "required_fields": [ "required_reviewers", "require_status_checks", "last_modified_at" ] }	`required_reviewers >= 1 OR documented solo-founder waiver` `require_status_checks == true`

Recent evaluations (Apollo Gaming Ltd.)

No evaluation history for this control yet.