Breach Response Playbook

Severity Tiers - Sev 1: Confirmed data exfiltration or active compromise - Sev 2: Suspected compromise; unusual access patterns, high-risk error - Sev 3: Lower risk incident (misconfig, minor exposure, no PII)

1) Detect & Triage - [ ] Capture evidence (logs, timestamps, affected user IDs) - [ ] Classify severity and scope (systems, data types, regions)

2) Contain - [ ] Revoke exposed keys/tokens; rotate Stripe/OpenAI secrets - [ ] Disable impacted accounts or features - [ ] Add temporary firewall/CORS restrictions if relevant

3) Eradicate & Recover - [ ] Patch vulnerabilities (rules, code, configs) - [ ] Restore from last-known-good backup if data integrity compromised - [ ] Verify integrity; re-enable systems gradually

4) Notify - [ ] Internal: founders, engineering, legal - [ ] External: affected users (if required), regulators (state-specific breach laws) - [ ] Partners (e.g., Stripe) if transaction data might be impacted

5) Postmortem (within 5 business days) - Root cause analysis - Timeline - What went well / what to improve - Action items (owners + deadlines)

Contacts - Security Owner: NAME / EMAIL / PHONE - Legal Contact: NAME / EMAIL - Cloud Admin: NAME / EMAIL