Security Incident Response Policy

1. Scope

This policy applies to any actual or suspected event that may compromise the confidentiality, integrity, or availability of:

• Merchant account information
• Shopper personal data (including names, email addresses, and shipping locations) processed through the Drapify service
• Drapify's production systems and infrastructure

2. Severity Classification

3. Response Process

3.1 Detect

Drapify operates continuous monitoring and automated alerting across our production environment. Suspicious activity, anomalous traffic patterns, and authentication failures trigger real-time alerts to our on-call team.

3.2 Contain

On detection of a suspected incident, we immediately:

• Isolate affected systems and revoke any compromised credentials or access tokens
• Block malicious traffic at the network edge
• Preserve logs and evidence for investigation

Target containment time: within 1 hour of confirmed detection.

3.3 Assess

Within 24 hours of confirming an incident, we determine:

• The scope of data potentially affected
• Whether merchant or shopper personal data was exposed
• The root cause and attack vector

3.4 Notify

Affected merchants are notified by email within 72 hours of confirming a personal-data breach, in accordance with GDPR Article 33 and applicable data-protection laws.

Affected shoppers will be notified through the merchant whose store they used, where required by law.

Regulatory authorities are notified within statutory deadlines where applicable.

Notifications include: nature of the incident, types of data affected, steps already taken, recommended actions for affected parties, and a contact channel for further information.

3.5 Remediate

We patch the underlying vulnerability, rotate any affected credentials, and deploy fixes through our standard secure release process. Restorative actions are validated before incident closure.

3.6 Post-Incident Review

Within 7 days of incident closure, the Security Team conducts a written post-mortem covering:

• Timeline of detection and response
• Root cause analysis
• Effectiveness of controls
• Concrete preventive measures and tracked follow-up actions

Post-mortem outcomes inform updates to this policy and to our security controls.

4. Roles and Responsibilities

• Incident Commander: leads the response, coordinates communications, and authorizes major actions
• Engineering On-Call: performs technical containment and remediation
• Communications Lead: drafts and sends notifications to merchants, regulators, and affected parties
• Executive Sponsor: reviews high-severity incidents and approves external disclosures

For solo or small-team operations, a single individual may hold multiple roles, with documented escalation paths to legal and external advisors.

5. Evidence Preservation

All logs, alerts, and forensic artifacts related to an incident are retained for a minimum of 12 months in a secure, access-controlled archive to support investigation, regulatory inquiry, and post-incident analysis.

6. Training and Testing

• All personnel with access to production systems complete security awareness training on joining and at least annually thereafter.
• This policy is reviewed and tested at least once per year through tabletop exercises or simulated incidents.

7. Reporting a Security Concern

If you believe you have discovered a vulnerability or witnessed a security incident involving Drapify, please contact us at:

Email: security@drapify.ai
Response time: acknowledgement within 2 business days

We welcome responsible disclosure and will work in good faith with reporters to investigate and resolve any verified issues.

8. Policy Maintenance

This policy is reviewed at least annually and updated in response to:

• Material changes in our infrastructure or service
• Lessons learned from incidents
• Evolving regulatory and industry best practices

Drapify is committed to maintaining the trust of the merchants and shoppers who use our service. Security is an ongoing practice, and we welcome feedback from our community.