Skip to main content
FleyeMapsBack to home

Incident Response Plan

Last updated: 2026-04-28 Audience: FleyeMaps engineering and operations staff. Customers receive notifications per the Privacy Policy and contractual SLAs.

This is a one-page operational plan. The full SOC 2 IR procedure lives in the internal runbook (OPERATIONS-HANDOFF.md §17).

Severity levels

| Severity | Definition | Initial response | |---|---|---| | SEV-1 | Confirmed customer-data breach, sustained platform outage (>15 min), or active compromise of platform-admin credentials | Page on-call within 5 min | | SEV-2 | Single-tenant outage, suspected (unconfirmed) data exposure, partial degradation of a critical subsystem (Stripe, Postgres, Graph email) | Page on-call within 15 min | | SEV-3 | Non-critical degradation (Redis cache miss spike, SMS provider elevated error rate, single-customer SSO failure) | Slack channel within 1 business hour | | SEV-4 | Cosmetic / non-blocking | Open ticket; bundle with the next deploy |

Roles

  • Incident Commander (IC) — owns the response. Routes work, declares severity, decides when to notify customers.
  • Communications Lead — drafts customer-facing language, posts to status page (/status), sends email to affected tenants.
  • Tech Lead — leads investigation and remediation. Pairs with the IC.
  • Scribe — records timeline in the incident channel; converts to post-mortem after resolution.

Process

  1. Detect — page from Application Insights, customer ticket, security@ inbox, or an internal report.
  2. Triage — IC declares severity, opens an incident channel (#inc-YYYYMMDD-N), pages required roles.
  3. Contain — first priority. For data breach: revoke affected sessions/tokens, rotate secrets, block compromised IPs at Cloudflare WAF, suspend affected tenants if needed.
  4. Notify — for SEV-1/2 with confirmed customer impact: post to /status within 30 minutes; send breach notification to affected tenant admins within 72 hours of confirmation (GDPR Art. 33).
  5. Eradicate & recover — fix the root cause; restore service; verify with smoke tests against /api/status.
  6. Post-mortem — within 5 business days. Blameless. Published internally with action items tracked in the issue tracker.

Customer-facing communications

  • Within 30 minutes of SEV-1/2: status page banner (/status) acknowledging the issue.
  • Within 72 hours of confirmed personal-data breach: email to affected tenant admins per GDPR Art. 33; CCPA / state-law equivalents observed.
  • Within 5 business days of resolution: post-mortem summary shared with affected tenants.

Reporting a suspected incident

  • Customers / external researchers: security@fleyemaps.com
  • Internal staff: page the on-call rotation via PagerDuty.
  • For confirmed compromise of platform-admin credentials: also email legal@fleyemaps.com so we can engage outside counsel.

See also: Vulnerability Disclosure Policy, Sub-processor List, Data Retention Policy.