Change log¶
Append-only log of compliance-relevant changes to this product. Used by the DPO to track when things changed and why — and as a reading order during an audit ("show me the last 12 months of changes to data processing").
What goes here¶
Add an entry when this product:
- Starts collecting a new data field.
- Stops collecting a field (or changes its retention).
- Adds a third-party processor.
- Drops a third-party processor.
- Changes a processing purpose or its lawful basis.
- Changes a security control (encryption mechanism, key rotation cadence, MFA enforcement).
- Changes access tiers (new role with production access, existing role's permissions changed).
- Changes the subject-rights fulfilment process.
- Quarterly reaffirmation (one entry per quarter, just attesting "no changes since last entry").
What does NOT go here¶
- Bug fixes that don't change processing behaviour.
- UI tweaks.
- Performance work.
- Engineering refactors that don't affect data shape or controls.
When in doubt, ask: "would the DPO want to know?" If yes, add a row. If you can't think of a reason they'd care, skip.
Format¶
## YYYY-MM-DD — short summary
**Change**: one-sentence description.
**Impact**: what changed in compliance terms (new field collected, new processor, retention shortened, etc.).
**PR**: link to the PR that landed the change in product code.
**Docs PR**: link to the PR in this repo that updated `data-inventory.md` / `retention.md` / etc. to reflect it.
**Reviewed by**: the named reviewer who signed off.
Entries¶
2026-05-15 — Initial section published¶
Change: first version of ZevID's compliance section. Covers data inventory, processing purposes, data flows, third parties, security controls, access control, retention, subject rights.
Impact: documents the current state of ZevID as of 2026-05-15.
Reviewed by: Daniel Arowolo (ZevID lead) — authored. Izunna Ikewete (DPO) — review.