Docs / Legal / Incident Response Policy

Incident Response Policy

Last updated: 9 July 2026

This policy governs how Stravax Group LLC detects, responds to, and reports security incidents and personal data breaches affecting Stravax Engage, with particular attention to the customer personal data (name and phone number) processed through the Shopify integration.

1. Scope and definitions

Covered data includes merchant customers' name and phone number, merchants' Shopify Admin API tokens, and merchant account credentials.

2. Existing technical controls (what we are defending)

Incident response is grounded in controls that already exist in the platform:

3. Detection

Sources that may surface an incident:

A monitored intake for external reports (security@stravax.ai) must be maintained.

4. Triage and severity

On detection, the responder records the time, the source, and an initial description, then assigns a severity:

Severity Definition Examples
SEV-1 (Critical) Confirmed or likely breach of customer personal data, cross-tenant data exposure, or token/credential compromise A tenant-isolation failure exposing another merchant's customers; leaked Admin API tokens
SEV-2 (High) Serious risk with no confirmed data exposure yet A signature-verification bypass; a privilege-escalation bug found before exploitation
SEV-3 (Medium) Limited-impact issue, no personal data at risk Availability degradation of a non-critical path
SEV-4 (Low) Minor or informational Low-risk finding from a routine review

Severity is re-evaluated as facts develop; it can be raised or lowered.

5. Containment

Immediate actions, chosen to fit the incident:

6. Notification

6.1 Affected merchants (our controllers)

For any confirmed or likely personal data breach affecting a merchant's customers, we notify the merchant without undue delay and no later than 72 hours after becoming aware, providing: the nature of the breach, the categories and approximate number of records affected, the likely consequences, and the measures taken or proposed. This meets the commitment in the merchant DPA.

6.2 Affected customers

Where a breach is likely to result in a high risk to affected individuals, we support the merchant (as controller) in notifying those individuals. We provide the merchant the information they need; direct customer notification is normally the merchant's decision as controller.

6.3 Platforms and regulators

7. Remediation

8. Post-incident review

Within two weeks of closing a SEV-1 or SEV-2 incident, conduct a written review covering: timeline, root cause, what detection and controls worked or failed, customer and data impact, and concrete follow-up actions with owners and due dates. Feed lessons back into controls, tests, and this policy.

9. Roles

10. Review

This policy is reviewed at least annually and after any SEV-1 incident.