Security Incident Response Policy
Last updated: March 3, 2026
1. Purpose
This policy establishes the procedures Sentinel follows to detect, respond to, and recover from security incidents that may affect customer data or system integrity.
2. Scope
This policy applies to all systems, services, and data managed by Sentinel, including the web application, backend APIs, database, encrypted backups, and all third-party integrations (Shopify, Meta, Google Ads, Slack, etc.).
3. Incident Classification
| Severity | Description | Response Time |
| Critical | Confirmed data breach, unauthorized access to customer PII, or compromise of encryption keys | Within 1 hour |
| High | Suspected unauthorized access, credential exposure, or service-wide outage affecting data integrity | Within 4 hours |
| Medium | Failed intrusion attempt, unusual access pattern, or partial service degradation | Within 24 hours |
| Low | Minor policy violation, informational alert, or anomalous log entry | Within 72 hours |
4. Detection
Sentinel employs the following detection mechanisms:
- Application-level logging of all authentication events (login, failed login, token refresh)
- Rate limiting on all API endpoints via SlowAPI
- Monitoring of OAuth token health and credential access patterns
- Railway platform monitoring for infrastructure-level anomalies
- Automated health checks at
/api/health
5. Response Procedures
5.1 Identification
- Confirm the incident is genuine (not a false positive)
- Classify severity per the table above
- Document initial findings: timestamp, affected systems, scope of impact
5.2 Containment
- Isolate affected systems or revoke compromised credentials immediately
- Rotate Fernet encryption keys and JWT secret if credential compromise is suspected
- Deactivate affected platform connections (OAuth tokens)
- Deploy patches or configuration changes to prevent further exploitation
5.3 Notification
- Affected users: Notified within 72 hours of confirmed breach via email
- Shopify: Notified per Shopify Partner Program requirements
- Regulatory authorities: Notified as required by applicable data protection laws (GDPR, CCPA)
5.4 Eradication & Recovery
- Remove the root cause of the incident
- Restore from encrypted backups if data integrity is compromised (daily Fernet-encrypted backups retained for 7 days)
- Re-verify all active platform connections and OAuth tokens
- Confirm system integrity before restoring full service
5.5 Post-Incident Review
- Conduct a post-mortem within 5 business days
- Document root cause, timeline, and remediation steps
- Update security controls and this policy as needed
- Retain incident records for a minimum of 2 years
6. Data Protection Measures
- All credentials stored with Fernet symmetric encryption (AES-128-CBC + HMAC)
- Database backups encrypted daily and retained for 7 days
- JWT tokens with configurable expiration (HS256)
- Passwords hashed with bcrypt (cost factor 12)
- HTTPS enforced for all communications
- CORS restricted to configured origins only
7. Contact
To report a security incident or vulnerability, contact: security@trysignal.co