Incident Response
We maintain a formal incident response plan with defined severity levels and response time commitments.
Severity Levels
| Level | Name | Definition |
|---|---|---|
| P1 | Critical | Complete platform outage or confirmed data breach |
| P2 | High | Major feature degraded for multiple customers |
| P3 | Medium | Single customer impacted or non-critical feature broken |
| P4 | Low | Cosmetic issues or minor performance degradation |
Response Time Commitments
| Severity | Initial Response | Status Updates | Target Resolution |
|---|---|---|---|
| P1 — Critical | 15 minutes | Every 30 minutes | 4 hours |
| P2 — High | 30 minutes | Every 2 hours | 8 hours |
| P3 — Medium | 4 hours | Every 24 hours | 72 hours |
| P4 — Low | Next business day | As needed | Next release cycle |
Notification Process
- Detection — Automated monitoring detects anomalous activity or system failure
- Containment — Affected systems are isolated to prevent further impact
- Assessment — Full scope of impact is determined
- Notification — Affected customers and regulators are notified per GDPR within 72 hours
- Remediation — Root cause is fixed and preventive measures implemented
- Post-Mortem — Full review with corrective actions documented and shared
GDPR 72-Hour Breach Notification
Under GDPR Article 33, personal data breaches are reported to the relevant supervisory authority within 72 hours. Affected data subjects are notified without undue delay when the breach is likely to result in a high risk to their rights and freedoms.