Process
Ownership matrix
Who owns what at Matter. Per-bounded-context owners, on-call rotation, escalation paths, quarterly review cadence. Updated quarterly. Published for enterprise transparency.
Last updated
This page documents who owns what at Matter. It is reviewed quarterly and updated as the team grows. Customers can identify the right contact for a specific surface; auditors can trace control ownership; on-call escalation is unambiguous.
The ownership matrix is part of the SOC 2 evidence pack (CC1 — Control Environment).
Bounded-context ownership
| Bounded context | Primary owner | Secondary | Quarterly review lead |
|---|---|---|---|
| Authority | named engineer | named engineer | CTO |
| Entity lifecycle | named engineer | named engineer | Engineering lead |
| Equity | named engineer | named engineer | Engineering lead |
| Documents | named engineer | named engineer | Engineering lead |
| Compliance | named engineer | named engineer | Engineering lead |
| Operations | named engineer | named engineer | Engineering lead |
| Platform | named engineer | named engineer | CTO |
| Customer surfaces | named engineer | named engineer | Engineering lead |
Note: the team's current size is small; some owners hold multiple contexts. The matrix scales as the team grows. The names are deliberately omitted from this public page; internal-only mirror at
apps/docs/internal/ownership.mdxcarries the live names.
The primary owner:
- Reviews every PR that touches their context.
- Holds bus-factor responsibility — they are the single point of "ask this person."
- Maintains the context's invariants. Defends against drift in API Council reviews.
- Authors the context's runbooks.
- Sets the context's on-call rotation.
The secondary owner:
- Backs up the primary during vacations, leave, departures.
- Reviews context PRs when the primary is unavailable.
- Maintains awareness of the context's invariants — bus-factor resilience.
The quarterly review lead ensures the context's invariants are tested, the runbooks are current, the SLOs are met, and the threat model entries are accurate.
On-call rotation
Cadence. Weekly. Handover every Monday at 10:00 UTC per the handover protocol.
Tiers.
- Primary on-call. Pages first. Handles SEV3 + SEV4 directly. Triages SEV1 + SEV2 and pulls in secondary.
- Secondary on-call. Pages on
escalation_after_minif primary does not acknowledge. Handles SEV1 + SEV2 with primary. - Manager on-call. Pages on SEV1 declaration. Handles customer comms.
- Engineering lead. Pages on SEV1 sustained > 30 minutes.
Pool. Primary + secondary draw from a rotation of approximately 6 engineers (target). At small team sizes, the same engineer may serve as both primary and secondary across weeks. As the team grows past 8 engineers, the pool widens.
Escalation path per severity
(Full severity definitions at severity-matrix.)
SEV1
- 0 minutes. Page primary on-call.
- 0 minutes. Page manager on-call.
- 0 minutes. Page engineering lead.
- 5 minutes. Page secondary on-call (if primary unacknowledged).
- 15 minutes. Status page incident declared.
- 30 minutes. Customer email sent to affected scope.
- 30 minutes onwards. Status page update every 30 minutes until resolution.
SEV2
- 0 minutes. Page primary on-call.
- 0 minutes. Page manager on-call.
- 10 minutes. Page secondary on-call (if primary unacknowledged).
- 30 minutes. Status page incident declared.
- 60 minutes. Customer email sent to affected scope.
- 60 minutes onwards. Status page update every 60 minutes until resolution.
SEV3
- 0 minutes. Ticket in on-call queue.
- In-hours response. Primary on-call responds during business hours.
- No page outside business hours unless escalation.
- Status page: internal-only entry; no customer email.
SEV4
- Ticket in backlog. No page.
- No status entry. No customer comms.
Decision rights
| Decision | Authority | Notes |
|---|---|---|
| Endpoint approval (gate 1 + gate 2) | API Council + bounded-context owner | Per api-council. |
| Endpoint promotion (Preview → Beta → GA) | API Council + on-call lead + CTO | Per api-council gate 3. |
| Endpoint deprecation | API Council via RFC | Per deprecation-policy. |
| New bounded context | API Council via RFC + ≥ 3 reviewers including ≥ 2 affected contexts | Per bounded-contexts. |
| Capacity-stage transition | Platform owner + CTO | Per capacity-plan. |
| Production-incident severity declaration | On-call primary (initial), revisable by manager on-call | Per severity-matrix. |
| Customer comms during incident | Manager on-call (drafts) + CTO (approves SEV1 communications) | Per incident-comms. |
| KMS key rotation | Authority owner + CTO (m-of-n approval for genesis ceremony) | Per apps/docs/content/docs/runbooks/audit-genesis-ceremony.mdx (lands P3.5). |
| GDPR Article 17 erasure | Authority owner + bounded-context owner of affected data | Per retention. |
| Customer SLA credit issuance | Customer Success + Engineering lead | Per sla. |
| Customer tier migration (shared → dedicated) | Platform owner + Customer Success | Per capacity-plan Stage 4. |
Cross-context PR review
A PR that crosses bounded contexts (e.g., a change to @repo/database that affects how @matter/equity-math reads the ShareLedgerEntry table) requires:
- Primary review by the owner of each affected context.
- Architecture-test pass for cross-context import rules.
- Spec PR first if any endpoint shape changes.
The CI gate enforces that PRs touching multiple contexts cannot merge without a "ack" comment from each affected context's owner.
Hiring and handover
When a new engineer is hired into a context:
- They join the context's rotation as a shadow for 4 weeks. They attend Council reviews, observe on-call, read past post-mortems.
- They take primary on-call (with secondary live-paired) for 2 weeks.
- They become eligible to act as secondary independently.
- After 3 months of context contributions, they become eligible to act as primary independently.
When a primary departs:
- Secondary becomes primary immediately.
- A new secondary is named (from the context's rotation or by promotion).
- The departing primary records a handover doc at
apps/docs/internal/handovers/<context>-<yyyy-mm-dd>.mdxcovering: known issues, in-flight work, undocumented tribal knowledge, relationships with external vendors / providers. - The departing primary remains available for questions for 30 days.
Why this matters
Three reasons.
- Bus factor. Every context has at least two engineers who can run it. Departures do not break the platform.
- SOC 2 CC1 (Control Environment). Ownership matrix is part of the evidence pack. Customers' auditors will ask.
- Customer trust. A customer in an incident wants to know who is on the hook. The escalation path lets them ask the right questions.
See also
- API Council — where context owners gather.
- Handover protocol — weekly on-call handover.
- Severity matrix — what each severity triggers.
- Incident communications — customer-facing templates.