Incident Response Plan¶
DRAFT — 2026-05-10. Pending review by counsel and a security consultant before being relied upon for contractual commitments. Customers should treat this as good-faith disclosure of current process, not a binding SLA.
Scope¶
This plan covers operational incidents affecting the AuditForge service and customer data: outages, data integrity loss, suspected unauthorized access, and breaches of confidentiality. It does not cover billing disputes, feature requests, or change-management.
Roles¶
Today AuditForge is operated by Base2ML's founder. The "incident commander" and "communications lead" roles collapse onto the founder. As headcount grows the plan will split them.
| Role | Responsibility | Today |
|---|---|---|
| Incident Commander | Triage, coordinate response, decide containment vs. mitigation | Base2ML founder |
| Communications Lead | Notify affected partners, status-page updates, regulator notifications | Base2ML founder |
| Forensics Lead | Evidence preservation, audit-log capture, root-cause investigation | Base2ML founder (escalates to external IR firm for serious incidents) |
| External Counsel | Legal advice on notification obligations | (To be retained — currently engaged ad-hoc) |
Severity classification¶
| Severity | Definition | Examples |
|---|---|---|
| SEV-1 | Customer data confidentiality, integrity, or availability is broken or believed broken | Suspected breach; cross-tenant data leak; complete outage > 1 hour |
| SEV-2 | Service impairment affecting paying customers; no data integrity loss | Slow audit completion > 2x normal; partial regional ECS failure |
| SEV-3 | Minor degradation; one tenant affected | Single engagement audit aborted with infrastructure-side error |
| SEV-4 | Cosmetic or non-impacting | Stale documentation; minor UI bug |
Response timeline (target)¶
| Severity | Acknowledge | Initial customer notification | Resolution target |
|---|---|---|---|
| SEV-1 | < 1 hour from detection | < 4 hours from detection | < 24 hours |
| SEV-2 | < 4 hours | < 24 hours | < 72 hours |
| SEV-3 | < 1 business day | If customer impact | Best-effort |
| SEV-4 | Best-effort | Not required | Next release |
These are targets, not contractual SLAs. Annual platform-license contracts may include negotiated SLAs.
Detection¶
Detection sources today:
- AWS CloudWatch alarms on ECS task health, ALB 5xx rates, S3 access errors (production)
- Customer-reported issues to
chris@base2ml.com - Founder routine review of CloudWatch logs and audit-log volumes
- AWS GuardDuty alerts on suspicious API activity in the account
Future: integrate a paging service (PagerDuty / Opsgenie) when headcount supports it.
Containment + mitigation¶
For suspected unauthorized access:
- Revoke the suspected credential immediately (admin token rotation, user session revocation, AWS IAM key rotation as applicable)
- Isolate the affected ECS task — taking it out of the ALB target group while preserving state for forensics
- Snapshot the engagement's S3 bucket (versioning is enabled on every bucket — already done)
- Preserve the per-engagement audit log of every LLM call (Phase 14 — this is already happening continuously)
- Communicate per Communications section below
For data integrity issues:
- Identify affected engagements via cross-reference between findings store and audit log
- Use the engagement freeze mechanism (Phase 20) to prevent further mutations
- Restore from S3 object versions if applicable
Communications¶
For SEV-1 and SEV-2 incidents:
- Affected customers: email to firm admin within timelines above. Includes: what happened, what data is affected, what we're doing, what they should do, when they'll hear from us next
- All customers: status notice on
docs.base2ml.comif outage > 4 hours - Regulators: per applicable law. Today this is primarily state-level data breach notification statutes (e.g., California CCPA, Pennsylvania Breach of Personal Information Notification Act). Counsel determines the specific notice obligations per incident.
We do not pre-commit to notification in social media or public PR channels for incidents not affecting confidentiality.
Post-incident¶
Within 5 business days of SEV-1 or SEV-2 resolution:
- Internal post-mortem: timeline, root cause, contributing factors, what worked, what didn't, action items with owners
- Customer-facing summary: shared with affected customers (and on request with any customer); written so a non-technical reader can understand what changed
- Roadmap update: any preventive engineering work added to the public roadmap at
docs/auditforge/roadmap.md
What's missing today (honest gaps)¶
- No on-call rotation — single-person operation
- No paging service — relies on CloudWatch email alarms
- No retained external IR firm — would engage one ad-hoc on a serious breach
- No retained external counsel for breach notification advice — would engage one ad-hoc
- No tabletop exercises run yet
These gaps close as Base2ML grows headcount and revenue. They are not blockers for typical document-review engagements but are blockers for high-stakes regulated-industry deployments.
Contact¶
For incident reports or to escalate a suspected issue, email chris@base2ml.com with subject line beginning [INCIDENT]. For urgent issues outside business hours, the same email; replies aim for the SEV-1 timeline above.