# Incident Response Plan — Billslash, Inc.

**Version:** 1.0  
**Owner:** Security Lead  
**Last reviewed:** May 28, 2026  
**Next review:** Annually, or after any Severity 1 incident.

---

## 1. Purpose & scope

This plan defines how Billslash, Inc. ("we") detects, classifies, contains,
eradicates, recovers from, and learns from security incidents affecting the
Billslash Reach platform, customer data, or supporting infrastructure
(Lovable Cloud / Supabase, Cloudflare, Stripe, Resend, GitHub).


It applies to all employees, contractors, and third parties with access to
production systems or customer data.

## 2. Roles

| Role | Responsibility |
|---|---|
| **Incident Commander (IC)** | Single decision-maker for the incident. Coordinates the response. Default: Security Lead; on-call rotation otherwise. |
| **Technical Lead** | Drives containment and eradication. |
| **Communications Lead** | Drafts customer, regulator, and public communications. |
| **Scribe** | Maintains the timeline in the incident channel. |
| **Legal/Privacy** | Determines breach-notification obligations (CCPA, GDPR, state laws, contractual). |

## 3. Severity classification

| Severity | Definition | Response time |
|---|---|---|
| **SEV-1** | Confirmed unauthorized access to production data, ransomware, exposed secrets in public, or service outage > 1h | Page within 15 min, 24×7 |
| **SEV-2** | Suspected compromise, partial outage, single-tenant data exposure | Within 1h, business hours + on-call |
| **SEV-3** | Vulnerability with no evidence of exploitation, dependency CVE, suspicious activity | Within 1 business day |
| **SEV-4** | Informational, policy violation, low-risk finding | Within 5 business days |

## 4. Lifecycle

### 4.1 Detection
Sources: Sentry alerts, Lovable Cloud / Supabase auth & DB logs, Cloudflare
WAF logs, Stripe Radar, GitHub secret scanning, dependency scanner, user
reports to `security@billslash.app`.

### 4.2 Triage (≤ 30 min for SEV-1/2)
1. Open a private incident channel `#inc-YYYYMMDD-<slug>`.
2. Assign IC, Tech Lead, Scribe, Comms Lead.
3. Assign severity.
4. Start the running timeline (UTC timestamps).

- Rotate any leaked secrets immediately (`SUPABASE_SERVICE_ROLE_KEY`, Stripe
  keys, Resend, OAuth client secrets).

  keys, Plaid keys, Resend, OAuth client secrets).
- Revoke compromised user/admin sessions in Supabase Auth.
- Disable affected feature flags / `/api/public/*` endpoints if needed.
- Block hostile IPs at Cloudflare.
- Snapshot affected database tables for forensics before any destructive change.

### 4.4 Eradication
- Patch the root cause (code, config, dependency).
- Remove malicious data, accounts, or persistence.
- Confirm logs no longer show indicators of compromise.

### 4.5 Recovery
- Restore service from clean state.
- Force password reset / MFA re-enrollment for affected users.
- Monitor closely for 48h post-recovery.

### 4.6 Notification
| Audience | Trigger | Deadline |
|---|---|---|
| Affected customers (controllers) | Confirmed personal-data breach affecting their data | Without undue delay; **≤ 72h** of confirmation (GDPR-aligned) |
| Other state regulators | Per applicable state breach-notification statute | Per statute |
| Plaid | Any incident affecting Plaid-connected end-user data or access tokens | Per Plaid Developer Policy |
| Stripe / Resend / sub-processors | When the incident touches their service | Without undue delay |

The Comms Lead drafts notifications; Legal approves before send.

### 4.7 Post-incident review (within 10 business days of SEV-1/2)
- Blameless postmortem document: timeline, root cause, contributing factors,
  what worked, what didn't, action items with owners and due dates.
- Action items are tracked to closure and reviewed monthly.

## 5. Evidence & retention

- All incident channels, timelines, postmortems, and forensic artifacts are
  retained for **5 years** in a restricted-access location.
- Chain of custody is documented for any evidence that may be shared with law
  enforcement or regulators.

## 6. Contacts

- Internal escalation: `security@billslash.app`, on-call PagerDuty rotation.
- Lovable Cloud / Supabase: support channel.
- Cloudflare: enterprise support.
- Plaid: `security@plaid.com`.
- External counsel: (firm name, 24×7 number).
- Cyber insurance carrier: (carrier name, claims number).

## 7. Testing

- Tabletop exercise: **annually**.
- Backup restore drill: **quarterly**.
- Secret-rotation drill: **semi-annually**.

---

_This document is confidential and intended for internal use by Billslash personnel and authorized auditors only._
