Platform Documentation
Platform Documentation
Breadcrumbs

Change Management Policy

Purpose

This document outlines RunWhen’s approach to controlled changes in production environments, ensuring all changes are planned, reviewed, and executed securely and auditable. We enforce separation of duties among requestors, approvers, and implementers to safeguard system integrity and operational consistency.

Ownership and Oversight

Change management is jointly overseen by VP Engineering and Head of DevOps/DevSecOps. They are responsible for defining, maintaining, and reviewing the change process, with the current custodians documented in our "Data Security and Privacy Policies" and "Compliance Monitoring and Audits".

Policy Controls

  • Change Request Submission

    • All proposed changes are submitted via pull requests in Git, clearly authored by the requestor (typically the DevOps or engineering team).

  • Separation of Duties

    • Requestors: Initiate changes and provide context within the pull request.

    • Approvers: Senior DevOps/DevSecOps engineers or technical leads peer-review and approve changes before merge.

    • Implementers: Once approved, automated pipelines/reconciliation loops deploy the change — no single individual governs the workflow from start to finish.

  • Version Control and Audit Trail

    • Every change, from request through approval and implementation, is captured in GitOps — ensuring full version history, traceability, and rollback capability.

  • Automated Validation

    • Changes pass through layered CI/CD (reconciliation loops) validations using Kubernetes API Server Admissions, Kustomize, Flux, and Crossplane, enforcing consistency and compliance prior to deployment.

Methodology & Integration

Change management is embedded within our Secure Software Development Lifecycle (SSDLC):

  • Design and risk assessments inform the initial change scope

  • Peer reviews and approval are required for production-impacting updates

  • Audit-ready commit history and automated validation ensure integrity and repeatability

Continuous Improvement and Monitoring

Change governance is evaluated at least annually or whenever our tooling or process evolves, as noted in our "Compliance Monitoring and Audits". Improvements are made proactively in response to retrospectives, audits,