Incident Response
HarborGuard takes incident response seriously even at this early stage. The commitments and targets below describe how we intend to handle security and availability incidents today; they will be hardened, exercised, and audited as the product matures.
Notification commitments
| Event | Customer notification target |
|---|---|
| Confirmed security incident affecting customer data | Within 72 hours of confirmation, in line with GDPR Art. 33 / CCPA equivalents |
| Confirmed personal-data breach | Without undue delay; in any event within 72 hours |
| Material service degradation | Direct email to billing contacts for incidents lasting more than one hour. A public status page is on the roadmap. |
| Sub-processor incident with customer-data impact | Same 72-hour clock once HarborGuard is notified |
Notifications go to the workspace's designated security contact and billing contact. Enterprise customers may nominate additional addresses.
Severity classification
| Severity | Definition | Examples | Initial response target |
|---|---|---|---|
| SEV-1 | Confirmed unauthorized access to customer data, or full service outage | Tenant isolation breach, credential exfiltration, prolonged complete outage | Engage on-call within 15 minutes |
| SEV-2 | Significant degradation or near-miss with no confirmed data exposure | Single-region degradation, scanner pipeline stalled for multiple customers | Engage on-call within 30 minutes |
| SEV-3 | Localized issue, single-customer or single-feature impact | Single workspace cannot trigger a scan, isolated UI regression | Acknowledge within one business hour |
| SEV-4 | Cosmetic, latent, or single-user issue | Typo, low-priority UX bug | Triaged on next business day |
Lifecycle
- Detect — automated monitoring, customer reports to
security@harborguard.co, or third-party disclosure. - Triage and classify — severity and scope determined by the on-call engineer.
- Contain — isolate affected systems, rotate credentials, revoke sessions as needed.
- Notify — start the customer-notification clock at confirmation, not at detection of an unconfirmed signal.
- Eradicate and recover — patch, redeploy, restore from clean backups if needed.
- Post-incident review — root-cause analysis and corrective actions tracked to closure.
Post-incident reports
For SEV-1 and SEV-2 incidents with customer impact, affected customers receive a written post-incident report containing:
- A factual timeline (detection → containment → recovery).
- Scope: which data, customers, and systems were affected.
- Root cause.
- Corrective and preventative actions, with target dates.
Reports are shared under the same NDA that will cover audit reports once those programs begin.
Reporting an incident to HarborGuard
If you believe you have observed an incident involving HarborGuard:
- Email
security@harborguard.co(preferred — see Vulnerability Disclosure). - Include the workspace ID, time window, and any relevant request IDs.
- For active exploitation, mark the email subject
[URGENT - SEV1]and we will engage on-call immediately.