Incident Response Policy

AlwaysDisclose.com
Version: 1.0
Last Updated: 2025-06-19

1. Purpose

This policy establishes the process by which AlwaysDisclose.com detects, investigates, contains, communicates, and remediates security incidents that may impact the confidentiality, integrity, or availability of customer data or internal systems, including any exposure of regulated or sensitive information.

2. Scope

Applies to all production systems (Vercel-hosted frontend/backend, Supabase data store, GitHub repository), employee devices, and third-party services that support disclosure workflows or data aggregation.

3. Roles and Responsibilities

• Incident Commander (IC): Oversees incident response (default: CTO)
• Security Lead: Coordinates technical investigation
• Communications Lead: Prepares external/internal statements
• Legal/DPO: Assesses breach notification obligations
• External Contacts:
  • Vercel Support
  • Supabase Support
  • Legal Counsel

4. Detection

Incident triggers may include:

• Alert from Sentry, Supabase audit logs, or Vercel logs
• Unusual access patterns or rate limits
• Reports to security@alwaysdisclose.com
• Suspicious GitHub activity or leaked keys

All alerts are triaged within 30 minutes and, if validated, an incident channel is created in Slack (#inc-YYYYMMDD).

5. Classification

Incidents are assigned severity levels from 0 (informational) to 4 (breach confirmed). Any incident involving unauthorized access to unencrypted PII or disclosure answers, even temporarily, is Level 4.

6. Response Procedures

• Containment: Revoke affected tokens, firewall IPs, disable routes/functions, disable log exports
• Eradication: Patch misconfigurations, rotate credentials, restore from known-good deploy
• Recovery: Deploy verified patch, test system integrity, confirm headers (HSTS, no-store) in place
• Notification:
  • California residents: “Most expedient time”
  • Other states: ≤ 45 days unless law enforcement delay
  • FTC (if ≥500 affected): Notify within 30 days
  • Future GDPR scope: Notify DPA within 72 hours

7. Post-Incident

Within 5 business days, a full post-mortem is completed, including:

• Timeline of events
• Root cause analysis
• Corrective actions
• Ticket(s) created and tracked
• Evidence retained for 12 months
• Plan updated if gaps were identified

8. Testing and Maintenance

This policy is reviewed annually or after any major incident. A tabletop exercise is conducted at least once per year to validate team readiness and toolchains.

---

Approved by: Travis French, Founder
Next Review Date: 2026-06-01