Security Incident Response Policy

Last updated: March 3, 2026

1. Purpose

This policy establishes the procedures Sentinel follows to detect, respond to, and recover from security incidents that may affect customer data or system integrity.

2. Scope

This policy applies to all systems, services, and data managed by Sentinel, including the web application, backend APIs, database, encrypted backups, and all third-party integrations (Shopify, Meta, Google Ads, Slack, etc.).

3. Incident Classification

SeverityDescriptionResponse Time
CriticalConfirmed data breach, unauthorized access to customer PII, or compromise of encryption keysWithin 1 hour
HighSuspected unauthorized access, credential exposure, or service-wide outage affecting data integrityWithin 4 hours
MediumFailed intrusion attempt, unusual access pattern, or partial service degradationWithin 24 hours
LowMinor policy violation, informational alert, or anomalous log entryWithin 72 hours

4. Detection

Sentinel employs the following detection mechanisms:

5. Response Procedures

5.1 Identification

  1. Confirm the incident is genuine (not a false positive)
  2. Classify severity per the table above
  3. Document initial findings: timestamp, affected systems, scope of impact

5.2 Containment

  1. Isolate affected systems or revoke compromised credentials immediately
  2. Rotate Fernet encryption keys and JWT secret if credential compromise is suspected
  3. Deactivate affected platform connections (OAuth tokens)
  4. Deploy patches or configuration changes to prevent further exploitation

5.3 Notification

5.4 Eradication & Recovery

  1. Remove the root cause of the incident
  2. Restore from encrypted backups if data integrity is compromised (daily Fernet-encrypted backups retained for 7 days)
  3. Re-verify all active platform connections and OAuth tokens
  4. Confirm system integrity before restoring full service

5.5 Post-Incident Review

  1. Conduct a post-mortem within 5 business days
  2. Document root cause, timeline, and remediation steps
  3. Update security controls and this policy as needed
  4. Retain incident records for a minimum of 2 years

6. Data Protection Measures

7. Contact

To report a security incident or vulnerability, contact: security@trysignal.co