8 controls
Operational across the product, the underlying platform, and the engineering team.
- 01Defined incident response lifecycle: triage, contain, eradicate, recover, document
- 02Automated daily database snapshots with 7-day retention; Point-in-Time Recovery to 2-minute granularity available on demand
- 03Quarterly internal security review with dated evidence records and risk-register update
- 04Escalation flow defined: engineer to Lead Engineer to CEO for any incident with customer impact
- 05Customer notification of impacting incidents through the contractual channel of record, coordinated by the CEO
- 06Post-incident review for every customer-impacting incident; outputs feed continuous improvement
- 07Documented backup and restore procedure with quarterly verification exercises
- 08Continuous improvement loop tied to internal review findings, incident outcomes, and external research