Reverba
Começar grátis

Legal document

Incident Response Plan

Oneck Creative LTDA's operational procedure to detect, contain, communicate, and recover from security incidents affecting Reverba or its Customers — in compliance with LGPD Article 48 and GDPR Article 33 (72-hour notification).

Last updated
Effective from
Version
v1.0

Ler em português (Brasil)

1. Objective

Ensure that any security incident is detected timely, contained with minimum damage, communicated to interested parties (affected subjects, Customers, Brazilian DPA, marketplaces) within legal deadlines, and that lessons are incorporated into process improvements.

2. Definitions

  • Security incident: any event that compromises or has the potential to compromise the confidentiality, integrity, or availability of Reverba data or systems.
  • Personal data breach: a subset of incident involving unauthorized access, modification, or destruction of personal data.
  • Processor: Reverba (data processor under GDPR).
  • Controller: the Reverba Customer, in relation to their own End-Contacts.

3. Roles and responsibilities

  • Incident Coordinator (Tech Lead): declares the incident, triggers the playbook, authorizes containment actions. Backup: DPO.
  • DPO (privacidade@reverba.com.br): coordinates communication to data subjects, the Brazilian DPA, and Customer Controllers; drafts notifications.
  • Operations: executes technical containment (token revocation, key rotation, isolation of affected environment).
  • Communications: posts updates to status page, emails account owners, social media when applicable.

4. Response phases

  1. Identification — monitoring alert, external report (subject, researcher), or internal discovery during log review.
  2. Triage — Tech Lead assesses scope, affected data, and severity (§5). Target window: 1 hour from alert.
  3. Containment — block the attack vector, revoke compromised tokens, rotate encryption keys if needed, isolate affected systems. Target window: 4 hours after triage for CRITICAL incidents.
  4. Eradication — remove the root cause (software patch, fix improper config, dismiss compromised access).
  5. Recovery — restore systems from clean backups when applicable; validate data integrity; release the environment for normal use.
  6. Communication — notify affected subjects and authorities within prescribed deadlines (§6).
  7. Lessons learned — post-mortem with action plan to prevent recurrence. Documented internally; summary published on the status page for HIGH/CRITICAL incidents.

5. Severity classification

SeverityDefinitionExamples
CRITICALUnauthorized access to personal data of multiple Customers, or total downtime > 1 hour.Database leak; master encryption key compromise.
HIGHUnauthorized access to a single Customer's data, or partial downtime > 4 hours.Compromised admin account; tenant isolation failure detected and contained.
MEDIUMExploitable vulnerability found (e.g., via researcher) with no evidence of exploitation.XSS reported in input field; dependency with known CVE.
LOWOperational anomaly without data compromise.500 error spike; massive login attempt blocked by throttler.

6. Communication to interested parties

  • ANPD notification: personal data breaches that may cause risk or significant harm to subjects are reported under LGPD Article 48. Internal communication to DPO within 24 hours; ANPD communication within 72 hours.
  • Subject notification: affected data subjects are notified by email within a reasonable timeframe (target: 24h after scope confirmation) with:
    • Plain-language description of the incident.
    • Affected data categories.
    • Technical containment measures taken.
    • Recommendations to the subject (e.g., change password).
    • Channel for clarification (DPO).
  • Customer Controller notification: the DPO notifies the affected Customer so they can fulfill their own obligations to End-Contacts (in parallel).
  • Marketplace notification: if the incident affects tokens or data of TikTok Shop, Mercado Livre, or Shopee, we notify the respective Partner Program per the contractual SLA with each platform.
  • Status page: outages are disclosed at status.reverba.com.br in near real-time.

7. How to report an incident

Anyone (subject, Customer, researcher, employee) can report a suspected incident:

Researchers who report vulnerabilities in good faith are not subject to retaliation. We ask that they wait 90 days before public disclosure to allow for fixing.

8. Post-incident

  • Post-mortem: written within 7 days after recovery. Includes: timeline, root cause, estimated impact, containment actions, planned improvements.
  • Metrics: time to detect (MTTD), time to contain (MTTC), time to recover (MTTR) — measured and compared to internal targets.
  • Lessons learned: concrete actions to prevent recurrence are added to the security backlog and prioritized.
  • Public summary: CRITICAL or HIGH incidents get a public summary at status.reverba.com.br after resolution, with scope, actions taken, and improvements.

Related documents: Privacy Policy, Information Security Policy, Data Retention.