Incident response
The process Koji follows when a security or privacy incident is detected, the customer notification commitments in the DPA, and how to report a suspected incident.
What counts as an incident
Koji defines an incident as any event that compromises (or has the potential to compromise) the confidentiality, integrity, or availability of customer data, or that constitutes a personal data breach under Article 4(12) GDPR.
Examples include unauthorized access to a customer database, accidental disclosure of customer data to the wrong recipient, ransomware or other malicious software affecting Koji systems, and a sub-processor incident affecting customer data.
Detection
- Automated monitoring on application, database, and infrastructure layers, with alerting on anomalous behavior and security-relevant events.
- Audit-log review for unusual administrative activity and authentication patterns.
- Vulnerability scanning on dependencies, with alerts on critical findings.
- Customer and researcher reports via [email protected] and our vulnerability disclosure policy.
- Sub-processor notifications received under our DPAs with each sub-processor.
Severity classification
- P0 (critical): Active unauthorized access to customer data; service unavailable for all customers; data loss with no recovery path.
- P1 (high): Confirmed potential for unauthorized access; service unavailable for a subset of customers; data corruption with recovery path.
- P2 (moderate): Possible exposure of customer data under specific conditions not yet confirmed; partial functional impact.
- P3 (low): Issue with no immediate customer impact but requiring remediation.
Triage and containment
- The on-call engineer acknowledges the alert or report and opens an incident channel.
- Initial scope is determined: which customers are affected, what data is involved, what attack vector or failure mode is suspected.
- Immediate containment actions are taken: rotating credentials, blocking IPs, revoking sessions, disabling affected features, or rolling back recent deployments as appropriate.
- Forensic preservation: logs, snapshots, and any other evidence relevant to root-cause analysis are preserved.
- The incident commander is assigned for P0 and P1 incidents.
Customer notification
For any personal data breach affecting customer data, Koji notifies the controller without undue delay and within seventy-two hours of becoming aware, in line with our DPA and Article 33 GDPR.
The initial notification includes:
- The nature of the breach, including (where possible) the categories and approximate number of data subjects and records affected.
- The name and contact details of Koji's point of contact for the incident.
- The likely consequences of the breach.
- The measures Koji has taken or proposes to take, including (where appropriate) measures to mitigate possible adverse effects.
Where the full information is not available within seventy-two hours, the initial notification flags what is unknown and we follow up with updates as the investigation progresses.
For service availability incidents that do not affect data confidentiality, customers receive a status update through the public status communication channel and a follow-up post-mortem when the incident is resolved.
Resolution and post-incident review
After containment and customer notification, the incident moves into resolution: the root cause is identified, the fix is deployed, and the customer-facing impact is closed out.
For every P0 and P1 incident, a written post-incident review is produced within two weeks of resolution. The review covers:
- Timeline and root cause
- What worked and what did not
- Customer impact
- Action items, owners, and deadlines
Affected customers receive the relevant portions of the post-incident review on request.
Recurring review
The incident response procedure is reviewed at least annually and exercised through internal tabletop scenarios. The procedure is updated whenever a real incident exposes a gap.