# Incident Response Plan

**Owner:** CTO · **Effective:** 2026-05-28 · **Review:** annual + post-incident

## 1. Definitions
- **P1 (Critical):** confirmed data breach, Plaid token compromise, prod outage >30 min.
- **P2 (High):** suspected unauthorized access, partial outage, failed key rotation.
- **P3 (Medium):** vulnerability disclosure, isolated bug exposing limited data.
- **P4 (Low):** scanner findings, near-misses.

## 2. Roles (on-call rotation)
- **Incident Commander (IC):** runs the incident, single decision-maker.
- **Communications Lead:** customer + regulator + Plaid notifications.
- **Tech Lead:** investigation, containment, forensics.
- **Scribe:** timeline in shared doc.

## 3. Lifecycle

### 3.1 Detect (0–15 min)
Sources: Sentry alerts, Supabase auth anomalies, customer reports, Plaid webhook anomalies, security@billslash.app inbox.

### 3.2 Triage (≤1 h)
IC declares severity, opens `#inc-YYYYMMDD` channel, starts timeline.

### 3.3 Contain (≤4 h for P1/P2)
- Revoke suspected sessions (`auth.admin.signOut` mass).
- Rotate compromised secrets (`secrets--update_secret` + redeploy).
- For Plaid token compromise: call `/item/remove` for affected items, rotate pgsodium key, force re-link.
- Disable affected feature flags.

### 3.4 Eradicate & Recover
- Patch root cause; deploy with expedited review (still requires 1 reviewer).
- Restore data from PITR if needed.
- Verify clean state before re-enabling.

### 3.5 Notify
- **Customers** affected: email within 72 h of confirmation (P1).
- **Plaid:** notify within 24 h of confirmed token compromise per Plaid DPA, via security@plaid.com.
- **Regulators:** as required (GDPR 72 h, US state laws per applicable statute).
- **Public disclosure:** status page update for any user-visible outage.

### 3.6 Post-mortem (≤10 business days)
Blameless write-up: timeline, root cause, contributing factors, action items (owner + due date). Reviewed by full eng team; action items tracked to completion.

## 4. Contacts
- Security inbox: security@billslash.app
- Plaid security: security@plaid.com
- Supabase support: enterprise channel
- Cloudflare: dashboard incident tickets

## 5. Tabletop Exercise
Semi-annual; one scenario must cover Plaid token compromise.

## 6. Evidence Preservation
Snapshot DB + capture relevant logs to read-only bucket within 24 h of P1/P2 declaration. Retain ≥1 year.