# Incident response policy

**Version:** 1.0
**Effective date:** 2026-04-17

## 1. Scope

Any event that affects, or could affect, the confidentiality, integrity, or availability of customer data or Frameboard services. Covers: data breach, credential compromise, availability incident, malicious insider activity, accidental data exposure.

## 2. Severity levels

| Severity | Definition | Examples |
|---|---|---|
| SEV-1 | Confirmed exposure of customer data; full service outage | Unauthorised read of another customer's proposals; production DB compromised |
| SEV-2 | Suspected exposure; major feature outage affecting many customers | Repeated 5xx errors on proposals-generate for >30 min; suspicious login bursts |
| SEV-3 | Single-customer impact; moderate bug | One customer reports seeing someone else's metadata (before containment) |
| SEV-4 | Low-impact bug with security flavour | Rate limit not kicking in as designed |

## 3. Detection channels

- Error reporter (wired into `/js/error-reporter.js`, posts to our log)
- Netlify deploy/function logs
- Stripe fraud alerts
- Customer reports via `security@myframeboard.app`
- Public bug bounty reports (responsibly disclosed)

## 4. Response workflow

1. **Acknowledge** (within 30 minutes during UK business hours, 4 hours outside)
   - Incident commander (founder by default) confirms receipt in the incident log
   - Severity assigned

2. **Contain**
   - Stop the bleeding: revoke keys, disable endpoints, roll back deploys
   - Preserve evidence: export logs, snapshot Airtable tables if relevant

3. **Investigate**
   - Identify root cause, scope of data affected, timeline
   - Engage any relevant sub-processors (Netlify, Stripe, Airtable support)

4. **Notify**
   - SEV-1/2 customer notification within **72 hours** of confirmation, per GDPR Article 33
   - Email + in-app banner
   - Supervisory authority (ICO for UK data) notified per legal advice for SEV-1

5. **Eradicate + recover**
   - Deploy fix; verify with tests; monitor for recurrence

6. **Postmortem**
   - Blameless writeup within 5 working days of resolution
   - Stored in `docs/security/incidents/YYYY-MM-DD-<slug>.md`
   - Action items tracked to closure

## 5. Customer notification template

Template lives in `docs/security/templates/incident-notification.md` (to be filled when needed). Contents:

- What happened
- What data was affected
- What we've done
- What you should do
- Our timeline for the next update
- How to contact us with questions

## 6. Exercises

Tabletop incident exercise every quarter. Rotating scenarios:

- Q1: credential leak (GitHub push of `.env`)
- Q2: Airtable personal account compromise
- Q3: DDoS against `/signup`
- Q4: rogue npm package in dependencies

Exercise summaries logged in `docs/security/exercises/`.

## 7. External reporting

- Vulnerability reports: `security@myframeboard.app`, acknowledged within 1 working day
- No bug bounty programme at current scale; we thank researchers publicly and offer store credit equivalent at discretion
- Law enforcement liaison only on legal advice