Incident Response
Last updated: July 4, 2026
CORPYO maintains a documented incident response plan so that when something does go wrong, the response is fast, disciplined, and transparent rather than improvised.
Incident Lifecycle
Our response follows a consistent lifecycle: Detect → Triage → Contain → Investigate → Eradicate → Recover → Notify → Review. Every step is recorded, and every declared incident is assigned an owner responsible for driving it to closure.
Detection
Incidents are identified through automated monitoring and alerting (infrastructure health, anomalous authentication patterns, error-rate spikes, security-tooling alerts), through internal reports from employees, and through external reports from customers or security researchers via our Responsible Disclosure program. Any employee can escalate a suspected incident immediately — there is no approval gate that delays initial triage.
Investigation
Once triaged as a genuine incident, a response lead is assigned and relevant engineering, security, and — where customer impact is possible — leadership stakeholders are looped in. We establish the scope of the issue: what systems or data may be affected, how the issue arose, and whether it is still active. Investigation draws on centralized logs, infrastructure telemetry, and version-control history so we can reconstruct a precise timeline rather than guess at impact.
Containment
Containment actions are taken as soon as they can be applied safely — this may include revoking credentials, isolating affected systems, disabling a vulnerable feature, deploying a hotfix, or blocking malicious traffic at the network edge. We prioritize actions that stop ongoing harm even before root cause is fully understood, and only pursue longer-term fixes once the immediate exposure is closed.
Recovery
After containment, we work to restore normal service: validating that affected systems are clean, restoring data from backups if needed, re-issuing credentials or keys that may have been exposed, and monitoring closely for recurrence before declaring the incident resolved.
Customer Notification
Where an incident results in unauthorized access to, or disclosure of, customer personal data, we notify affected customers without undue delay and in line with applicable legal obligations (including GDPR's 72-hour regulator notification requirement where it applies). Notifications describe, to the extent known at the time, what happened, what data was involved, what we have done in response, and what affected customers should do. We do not wait for a perfect, complete picture before making initial contact if delay would leave customers less able to protect themselves — we would rather notify early and follow up with detail than stay silent while we investigate.
Postmortem Process
Every significant incident is followed by a blameless postmortem: a written account of what happened, the timeline, the root cause, what worked well in the response, and concrete follow-up actions with owners and due dates to prevent recurrence. Postmortem action items are tracked to completion, not just documented and forgotten. Learnings feed back into our Security Program — monitoring coverage, code review checklists, and access controls are all things we have refined as a direct result of past incidents and near-misses.
Reporting a Concern
If you believe you have found a security issue affecting CORPYO, please see our Responsible Disclosure policy or email security@corpyo.com directly.