Security

Incident Response

This page summarizes current incident-response posture for buyer review. It is not a formal SLA, legal notice, or warranty.

Intake

Reports enter through security@gpcguard.app, support, internal monitoring, or operator review.

Severity review

Triage prioritizes auth bypass, cross-tenant access, exposed secrets, decision-record integrity, and production availability.

Containment

Potential containment actions include disabling affected keys, pausing a route, rotating secrets, tightening rules, or deploying a narrow hotfix.

Customer communication

If customer data or service integrity may be affected, GPCGuard will contact impacted account holders using available account contacts.

Incident Categories Reviewed First

  • Authentication bypass, session confusion, or service-role exposure.
  • Cross-tenant access to sites, API keys, decision records, analytics, or billing state.
  • Loss or corruption of GPC decision evidence for processed requests.
  • Availability impact on the public GPC endpoint or customer dashboard.
  • Unexpected exposure of personal data, secrets, or sensitive operational metadata.

Current Limitations

  • No formal incident response SLA is currently published for self-serve plans.
  • No SOC 2, ISO 27001, or independent incident-readiness certification is currently claimed.
  • Enterprise notification requirements can be handled in a signed agreement.