Owner: CTO and CISO
Effective Date: May 15, 2026
Reviewed: Annually
Frameworks: SOC 2 CC6.1 / CC6.7; ISO/IEC 27001 A.8.24 (use of cryptography) and A.5.17 (authentication information). Implements the Cryptography Policy.
Effective Date: May 15, 2026
Reviewed: Annually
Frameworks: SOC 2 CC6.1 / CC6.7; ISO/IEC 27001 A.8.24 (use of cryptography) and A.5.17 (authentication information). Implements the Cryptography Policy.
Scope
Every key class in the Key rotation cadence table is covered by this procedure. Where this procedure and the policy table appear to disagree, the policy table controls.| Key class | Owner | Routine cadence | Stored in |
|---|---|---|---|
| Vault Transit application-layer keys | CTO + CISO | Annual | HashiCorp Vault |
| AWS KMS Customer-Managed Keys (CMKs) | CTO + CISO | Annual (auto) | AWS KMS |
| Vultr platform-managed at-rest keys | Vultr | Provider-managed | Vultr |
| TLS server certificates | CTO | ≤ 1 year | ACM / Cloudflare / per-service issuer |
| Long-lived third-party API keys | CTO | Annual; on personnel change | Vault |
| Release-pipeline application tokens | CTO | Annual; on any 401/403 in CI; on personnel change | GitHub Actions Secrets (migrating to Vault) |
| Service-account static keys | CTO | 90 days | Vault |
| Static database passwords (where dynamic unavailable) | CTO | 90 days; on personnel departure with access | Vault |
| Application password peppers | CISO | 24 months | Vault |
| Vault root token (break-glass) | CISO | After every break-glass use; otherwise annual | Sealed Dashlane vaults |
Triggers
| Trigger | Action |
|---|---|
| Routine cadence reached | Standard rotation per §“Process — routine rotation” |
| Suspected compromise | Immediate emergency rotation per §“Process — emergency rotation”; treat as P0 or P1 incident |
| Personnel departure with access to a static credential | Rotation of every credential the departing person had access to, completed within the Offboarding SLA for that separation tier |
| 401 / 403 in CI on a release-pipeline token | Rotation of that token immediately; root-cause review before next release |
| Vendor-disclosed compromise of a third-party key | Rotation immediately on disclosure; incident filed |
Process — routine rotation
- Schedule. The owner files a Linear issue at least 30 days before the next rotation date for every key class with a target date. The Compliance Calendar carries the canonical schedule.
- Plan. Owner attaches to the issue: key identifier, current version, new-version method (auto-rotate, manual rotate, key roll), affected consumers, expected downtime (target: zero), backout plan.
- Approve. CISO approves before execution. For Vault root-token and Vault Transit keys, the CTO also approves. At current scale, CTO and CISO are the same individual (per Roles & Personnel); the dual-approval requirement is satisfied by the same approver signing in both capacities and by the CEO independently attesting within 5 business days that the rotation occurred per the role-concentration compensating controls. CEO attestation is recorded on the evidence file at
/registers/key-rotations/<YYYY-MM>-<class>.mdx. - Execute. Owner performs the rotation:
- AWS KMS CMKs — confirm automatic key-material rotation is enabled and that the most-recent rotation completed; manual rotation only if the table mandates or if compromise is suspected.
- Vault Transit keys — issue
vault write -f transit/keys/<name>/rotate; consumers are unaffected because Vault tracks key versions and decrypts with the historical version. - TLS server certificates — issued via ACM / Cloudflare; rotation is automatic where supported and tracked via the SSL Labs scan results.
- Long-lived third-party API keys — create new key in the provider’s console, write to Vault, update consumers, verify, revoke old key.
- Release-pipeline tokens — see the release.yml header for per-token re-issue steps; CI must be green on the new value before the old value is revoked.
- Service-account / static-DB credentials — prefer migration to dynamic credentials via Vault; if migration is not yet possible, rotate per the 90-day cadence using Vault’s versioned KV.
- Application password peppers — rotate per Cryptography Policy → Application password peppers; old pepper retained as verify-only until cutover completes.
- Vault root token — rotate via the documented unseal-quorum procedure with both CISO and CTO present; new token is re-sealed into both CISO and CTO Dashlane vaults.
- Verify. Consumers continue to function. For application-layer keys, a sample decrypt test is performed against both the new and the prior version. For TLS, the SSL Labs scan is re-run.
- Revoke. Old credential is revoked / disabled / scheduled for destruction per the key class — KMS CMKs are scheduled for deletion only after a 30-day waiting period to avoid loss of access to historical ciphertext; Vault key versions are kept long enough to decrypt any historical ciphertext that may need to be re-wrapped, then archived.
- Record. Owner writes an evidence note (template below) to the Linear issue and uploads to the SharePoint SOC 2 / ISO 27001 evidence library.
Process — emergency rotation
Emergency rotation is initiated on suspected compromise of a key, on disclosed compromise by a vendor, or on direction of the CISO for any reason. Treat as a P0 incident (compromise of customer-data-bearing key) or P1 (compromise of an operational credential), per the Incident Response Policy.- Declare. CISO opens an incident; IR commander assigned.
- Rotate. Same mechanical steps as routine, but executed immediately — rotation completion is targeted within the P0 (customer-data-bearing key) or P1 (operational credential) containment timeline in the Incident Response Policy, and the actual completion time is recorded in the incident timeline. Where the key class supports versioned co-existence (Vault Transit, application password peppers), the new version is added in parallel and consumers cut over. Where it does not (long-lived API keys), there is a brief window of consumer impact that is tracked in the incident timeline.
- Revoke aggressively. Old credential is revoked the moment the new credential is in use, not on the usual cooldown.
- Investigate. IR commander runs root-cause analysis per the Incident Response Policy post-incident-review, including a search for unauthorized use of the prior key in the relevant log retention window per the Log Review procedure.
- Report. Incident outcome and any control change is reported at the next ISMS Management Review. External notice obligations (regulator, customer, partner) are evaluated by the General Counsel as part of the IR runbook.
Evidence note — template
Records
Routine-rotation evidence and emergency-rotation post-mortems are retained for at least 7 years per the Records Retention Schedule. The underlying Vault audit log carries the cryptographic-operation record per the Cryptography Policy.Reporting
Rotation status across the table is reviewed at:- The quarterly access reviews per the Access Reviews procedure.
- The annual SOC 2 / ISO 27001 audit.
- The ISMS Management Review when the Logging & Monitoring / Access Control rotation falls in the deep-dive quarter.
Version history
| Version | Date | Description | Author | Approved by |
|---|---|---|---|---|
| 1.0 | May 15, 2026 | Initial version — implements Cryptography Policy and Secrets Management, SOC 2 CC6.1 / CC6.7, ISO 27001 A.5.17 / A.8.24 | Cameron Wolfe | Ishan Jadhwani |