Incident Response Plan
Version: 1.0 · Effective: July 14, 2026 · Owner: Security Lead On-call: engmartin@ecopowerhub.ai · 24/7 monitored
1. Definitions
- Event — anything unusual (e.g. spike in 500s, failed logins). Logged, not necessarily actioned.
- Incident — confirmed impact to CIA of Company or customer data.
- Breach — an incident involving unauthorized access to personal data. Regulator-notifiable.
2. Severity levels
| Sev | Definition | Response time | Comms | | --- | --- | --- | --- | | SEV-1 | Prod down, data loss, active exploit | Immediate, 24/7 | Status page + email to affected customers within 4 h | | SEV-2 | Degraded service, single-tenant data exposure | < 2 h | Status page | | SEV-3 | Minor bug, no data at risk | Next business day | Release notes |
3. Lifecycle (NIST 800-61)
- Prepare — this plan, on-call rota, runbooks, Sentry +
security_eventsdashboard. - Detect — Sentry alerts, Supabase logs,
/securitydashboard, customer report atengmartin@ecopowerhub.ai. - Analyze — Incident commander opens a war-room note (private), assigns severity, scope, and impacted data classes.
- Contain — rotate compromised keys, revoke sessions, block IPs via rate-limit table, disable feature flag if applicable.
- Eradicate — patch root cause, deploy fix, add regression test.
- Recover — restore service, validate via smoke tests (
/admin/smoke-test), monitor 24 h. - Post-mortem — blameless RCA within 5 business days, action items tracked in risk register.
4. Roles during an incident
- Incident Commander (IC): decides, delegates, owns the timeline. Default: Security Lead.
- Communications Lead: customer + regulator messaging.
- Scribe: timestamped log of every action.
- Engineer(s): hands-on remediation.
5. External notifications
| Trigger | Recipient | Deadline | | --- | --- | --- | | Personal-data breach (GDPR) | Lead supervisory authority | 72 hours | | Personal-data breach (high risk) | Affected data subjects | Without undue delay | | Payment card exposure | Stripe + card brands | 24 hours | | US state breach laws | State AGs per applicable law | Per statute (typically 30–60 d) |
6. Evidence & forensics
- Preserve logs, DB snapshots, and
audit_logsfor at least 1 year post-incident. - Do not alter compromised systems until snapshots are taken.
7. Testing
- Tabletop exercise every 6 months.
- Restore-from-backup drill every 6 months.
- Results and gaps captured in the risk register.
8. Contact tree
- Security Lead / CEO: engmartin@ecopowerhub.ai
- Legal: engmartin@ecopowerhub.ai (external counsel on retainer)
- Supabase / Cloudflare / Stripe: enterprise support portals (creds in 1Password vault "Vendor Support")
Version-controlled source of truth for this document lives in the project repository. Material changes are reviewed by the Security Lead and approved by the CEO.