Compliance Center

Security & Compliance Program

Policies, risk register, and vendor assessments that govern how EcoService Pro protects customer data. This page is maintained by EcoPowerHub AI LLC for prospects, auditors, and internal review. For disclosures contact engmartin@ecopowerhub.ai.

Incident Response Plan

Version: 1.0 · Effective: July 14, 2026 · Owner: Security Lead On-call: engmartin@ecopowerhub.ai · 24/7 monitored

1. Definitions

  • Event — anything unusual (e.g. spike in 500s, failed logins). Logged, not necessarily actioned.
  • Incident — confirmed impact to CIA of Company or customer data.
  • Breach — an incident involving unauthorized access to personal data. Regulator-notifiable.

2. Severity levels

| Sev | Definition | Response time | Comms | | --- | --- | --- | --- | | SEV-1 | Prod down, data loss, active exploit | Immediate, 24/7 | Status page + email to affected customers within 4 h | | SEV-2 | Degraded service, single-tenant data exposure | < 2 h | Status page | | SEV-3 | Minor bug, no data at risk | Next business day | Release notes |

3. Lifecycle (NIST 800-61)

  1. Prepare — this plan, on-call rota, runbooks, Sentry + security_events dashboard.
  2. Detect — Sentry alerts, Supabase logs, /security dashboard, customer report at engmartin@ecopowerhub.ai.
  3. Analyze — Incident commander opens a war-room note (private), assigns severity, scope, and impacted data classes.
  4. Contain — rotate compromised keys, revoke sessions, block IPs via rate-limit table, disable feature flag if applicable.
  5. Eradicate — patch root cause, deploy fix, add regression test.
  6. Recover — restore service, validate via smoke tests (/admin/smoke-test), monitor 24 h.
  7. Post-mortem — blameless RCA within 5 business days, action items tracked in risk register.

4. Roles during an incident

  • Incident Commander (IC): decides, delegates, owns the timeline. Default: Security Lead.
  • Communications Lead: customer + regulator messaging.
  • Scribe: timestamped log of every action.
  • Engineer(s): hands-on remediation.

5. External notifications

| Trigger | Recipient | Deadline | | --- | --- | --- | | Personal-data breach (GDPR) | Lead supervisory authority | 72 hours | | Personal-data breach (high risk) | Affected data subjects | Without undue delay | | Payment card exposure | Stripe + card brands | 24 hours | | US state breach laws | State AGs per applicable law | Per statute (typically 30–60 d) |

6. Evidence & forensics

  • Preserve logs, DB snapshots, and audit_logs for at least 1 year post-incident.
  • Do not alter compromised systems until snapshots are taken.

7. Testing

  • Tabletop exercise every 6 months.
  • Restore-from-backup drill every 6 months.
  • Results and gaps captured in the risk register.

8. Contact tree

  • Security Lead / CEO: engmartin@ecopowerhub.ai
  • Legal: engmartin@ecopowerhub.ai (external counsel on retainer)
  • Supabase / Cloudflare / Stripe: enterprise support portals (creds in 1Password vault "Vendor Support")

Version-controlled source of truth for this document lives in the project repository. Material changes are reviewed by the Security Lead and approved by the CEO.