Effective: May 30, 2026

Incident Response Policy

When something goes wrong, customers deserve to know quickly and accurately. This policy documents how we detect, classify, contain, and communicate incidents.

Severity ladder

SEV-1Critical
  • Confirmed unauthorized access to customer data
  • Platform-wide outage > 30 minutes
  • Loss of integrity of customer data
Customer notification: Within 4 hours of confirmation; SOC at every status change
SEV-2High
  • Single-tenant outage or significant degradation
  • Authentication regression affecting subset of customers
  • Vulnerability with public exploit (no confirmed access)
Customer notification: Within 1 business day; status page update
SEV-3Medium
  • Partial feature degradation
  • Vulnerability with no known exploit
  • Subprocessor incident with limited impact
Customer notification: Status page update within 3 business days
SEV-4Low
  • Minor bugs without security or availability impact
  • Cosmetic regressions
Customer notification: Tracked in changelog

Lifecycle

  1. 1
    Detect
    Centralized logging, error monitoring, and customer reports.
  2. 2
    Triage & classify
    On-call engineer assigns severity within 30 minutes.
  3. 3
    Contain
    Rotate keys, revoke sessions, scope the blast radius.
  4. 4
    Communicate
    Affected customers notified per the severity ladder above.
  5. 5
    Eradicate & recover
    Root-cause fix deployed via reviewed pull request.
  6. 6
    Post-mortem
    Blameless write-up for SEV-1 and SEV-2 published within 14 days.

Customer notification commitment

For any confirmed personal data breach, we will notify affected customers without undue delay and within 72 hours of becoming aware, including the information required by GDPR Article 33(3) to the extent then available.

Status & history

Public incidents are published as they are confirmed. Subscribe to updates by emailing security@digitalbar.ai with subject "subscribe status".