Security Incident Response Policy

Scope

This policy applies to any event that may compromise the confidentiality, integrity, or availability of customer data or platform infrastructure.

Response process

1. Detection — incidents may surface via automated alerts, customer reports, or internal discovery. All team members are expected to report suspected incidents immediately to letsimmer@toonverbeek.com.
2. Assessment — within 1 hour of detection, classify severity:
   • P0: data breach, service outage
   • P1: degraded service, potential data exposure
   • P2: security misconfiguration without exposure
3. Containment — revoke compromised credentials, isolate affected systems, stop the bleeding.
4. Investigation — determine root cause, scope of impact, affected users/data.
5. Notification — for P0/P1 incidents affecting customer data, notify affected merchants within 72 hours per GDPR. Shopify requires notification within 24 hours for incidents involving Shopify data.
6. Remediation — patch root cause, verify fix, restore service.
7. Post-mortem — within 1 week, document what happened, what we did, and what we'll change to prevent recurrence.

Roles

• Incident commander: [your name]
• Technical lead: [your name]
• Communications: [your name]

Review

This policy is reviewed annually or after any P0/P1 incident.