Breach Response Policy

Version 2 · Updated 2026-05-20 16:32:04.221351+00

If we discover a data breach we follow this plan:

1. Contain — credentials are rotated, affected systems are isolated.
2. Assess — scope, data types, affected users.
3. Record — an incident is opened in `/admin/breach-incidents` with all
required fields.
4. Notify — affected users and (where required) regulators are notified
within the legally mandated window.
5. Resolve — root cause is fixed, post-mortem is written, retention
policies updated if needed.
6. Retain — the incident and its append-only `breach_records` are kept
for at least 7 years.

For security disclosures, contact security@example.com.