Incident Response Plan

Version 1.0 — Effective Date: March 4, 2026 Last Reviewed: March 4, 2026

This Incident Response Plan (IRP) establishes procedures for detecting, containing, eradicating, and recovering from security incidents affecting the Lead Validator Pro platform and the personal data we process on behalf of our customers.

1. Response Phases

PHASE 1

Detection

→

PHASE 2

Containment

→

PHASE 3

Eradication

→

PHASE 4

Recovery

→

PHASE 5

Notification

Phase 1: Detection

Incidents may be detected through the following channels:

Automated Monitoring: Security dashboard alerts, login anomaly detection, rate limit triggers, health check failures
Log Analysis: Security log review (security.log), audit trail anomalies, unusual API access patterns
External Reports: Customer reports, third-party notifications, responsible disclosure submissions
System Alerts: Cloudflare WAF alerts, Sentry error tracking, automated health alerts

Action: Log the detection event, assign initial severity level, and notify the Incident Commander.

Phase 2: Containment

Immediate actions to limit the scope and impact of the incident:

Short-term containment:
- Revoke compromised credentials and sessions immediately
- Block malicious IP addresses via Cloudflare
- Disable affected API keys or user accounts
- Isolate affected systems from the network if necessary
Evidence preservation:
- Capture system logs, database state, and network logs before remediation
- Create forensic copies of affected systems where applicable
- Document timeline of events

Phase 3: Eradication

Remove the root cause of the incident:

Identify and patch the vulnerability or misconfiguration
Remove malicious code, unauthorized access, or compromised components
Force password resets for potentially affected accounts
Update security rules and firewall configurations
Verify that all attack vectors have been closed

Phase 4: Recovery

Restore systems to normal operation:

Restore from clean backups if data was corrupted
Gradually re-enable services with enhanced monitoring
Verify data integrity through automated checks
Confirm that all systems are functioning normally
Implement additional monitoring for recurrence

Phase 5: Notification

Notify affected parties in accordance with applicable law and contractual obligations:

Notification Timelines

Affected customers (DPA): Within 72 hours of becoming aware of a data breach
CCPA (California residents): Within 30 days of discovery for breaches affecting 500+ California residents (written notice to individuals)
State AG notification: As required by applicable state breach notification laws (varies by state; many require 30-60 day notification)
Law enforcement: When criminal activity is suspected or required by law

2. Severity Levels

Level	Description	Examples	Response Time	Escalation
P1 - Critical	Active data breach, system compromise, or complete service outage affecting all customers	Confirmed PII exfiltration, database compromise, ransomware, unauthorized admin access	Immediate (within 15 min)	CEO, CTO, Legal, affected customers within 72 hrs
P2 - High	Potential data exposure, partial service degradation, or targeted attack in progress	Brute force attack succeeding, API key leak, SQL injection attempt succeeding, single-tenant data exposure	Within 1 hour	CTO, Security team, affected customer(s)
P3 - Medium	Security vulnerability discovered, failed attack detected, non-critical service issues	Vulnerability in dependency, failed brute force (blocked), intermittent API errors, misconfiguration	Within 4 hours	Security team, Engineering lead
P4 - Low	Minor security concern, policy violation, informational alert	Unusual login pattern (resolved), expired certificate warning, non-sensitive log exposure	Within 24 hours	Security team (logged for review)

3. Incident Response Team

Role	Responsibilities
Incident Commander	Coordinates response, makes containment decisions, manages timeline, approves communications
Security Lead	Technical investigation, forensic analysis, vulnerability assessment, evidence preservation
Engineering Lead	System remediation, patching, deployment, recovery operations
Communications Lead	Drafts customer notifications, coordinates with legal, manages external communications
Legal Counsel	Regulatory compliance, breach notification requirements, law enforcement liaison

4. Communication Templates

4.1 Initial Internal Alert (P1/P2)

INTERNAL INCIDENT ALERT

SEVERITY: [P1/P2/P3/P4] DETECTED: [Date/Time UTC] DETECTED BY: [Monitoring system / Person] DESCRIPTION: [Brief description of what was detected] AFFECTED SYSTEMS: [List of affected systems, services, databases] AFFECTED DATA: [Types of data potentially affected] [Estimated number of records/customers] INITIAL CONTAINMENT: [Actions taken immediately] NEXT STEPS: [Immediate action items] INCIDENT COMMANDER: [Name] WAR ROOM: [Channel/Location]

4.2 Customer Breach Notification (72-hour)

CUSTOMER BREACH NOTIFICATION

Subject: Security Incident Notification - Lead Validator Pro Dear [Customer Name], We are writing to inform you of a security incident that may have affected data processed by Lead Validator Pro on behalf of your organization. WHAT HAPPENED: On [date], we detected [brief description of the incident]. The incident was contained on [date]. WHAT DATA WAS INVOLVED: [Categories of data affected, e.g., "lead contact information including names, phone numbers, and email addresses"] Approximately [number] records associated with your organization may have been affected. WHAT WE ARE DOING: - [Containment actions taken] - [Investigation status] - [Remediation measures implemented] - [Third-party forensic engagement, if applicable] WHAT YOU CAN DO: - Review your audit logs for any unusual activity - Notify affected consumers as required by applicable law - Contact us with questions at [email protected] We take this incident seriously and are committed to transparency throughout the investigation. We will provide updates as additional information becomes available. Sincerely, Lead Validator Pro Security Team [email protected]

4.3 Consumer Notification (CCPA - 30 day)

CONSUMER BREACH NOTIFICATION (CCPA)

Subject: Notice of Data Breach Dear [Consumer Name], We are writing to notify you that your personal information may have been involved in a data security incident. WHAT HAPPENED: [Description of the breach in plain language] WHAT INFORMATION WAS INVOLVED: [Specific data elements, e.g., "your name, phone number, email address, and home address"] WHAT WE ARE DOING: [Remediation steps taken] WHAT YOU CAN DO: - Monitor your accounts for suspicious activity - Consider placing a fraud alert with credit bureaus - You may obtain a free credit report at www.annualcreditreport.com FOR MORE INFORMATION: Contact our Privacy Office at: Email: [email protected] Phone: [Phone Number] You may also contact the California Attorney General at: Office of the Attorney General 1300 I Street, Sacramento, CA 95814 www.oag.ca.gov Sincerely, Lead Validator Pro LLC

5. Post-Incident Review

Within 5 business days of incident resolution, the Incident Response Team shall conduct a post-incident review ("post-mortem") covering:

Timeline: Complete chronology from detection through resolution
Root Cause Analysis: Technical root cause and contributing factors
Impact Assessment: Scope of data affected, systems compromised, service disruption duration
Response Evaluation: Effectiveness of detection, containment, and communication
Lessons Learned: What worked well, what needs improvement
Action Items: Specific remediation tasks with owners and deadlines
IRP Updates: Changes to this plan based on lessons learned

6. Testing and Maintenance

This IRP shall be reviewed and updated at least annually
Tabletop exercises simulating P1/P2 incidents shall be conducted at least semi-annually
Contact information and escalation paths shall be verified quarterly
All IRP updates shall be documented with version number and effective date

7. Regulatory Reference

Key Compliance Requirements:

CCPA (Cal. Civ. Code § 1798.82): Notification to California residents within 30 days when breach affects 500+ residents; notification to California AG when 500+ residents affected
Texas (Bus. & Com. Code § 521.053): Notification without unreasonable delay (60 days) to affected Texas residents
GLBA Safeguards Rule (16 CFR § 314.4): Maintain incident response plan; notify FTC within 30 days for incidents affecting 500+ consumers' NPI
State Breach Notification Laws: 50 states + DC have breach notification laws with varying timelines (30-90 days); we target the most restrictive deadline applicable