Incident Response & Breach Notification Policy

• Security Event: any observable occurrence in a system or network (e.g. failed-login spike, anomalous query).
• Security Incident: a Security Event that has compromised, or is reasonably likely to compromise, the confidentiality, integrity, or availability of Gear Wave Data or systems.
• Breach: an Incident involving unauthorized access to, acquisition of, or disclosure of personal information that triggers a notification obligation under applicable law.

• Incident Commander (IC): the founder (or designated officer) — owns the response, decisions, and communications.
• Technical Lead: investigates, contains, and remediates.
• Communications Lead: drafts customer, regulator, and partner notifications.
• External counsel: engaged for any Incident that may meet a breach-notification threshold.

In the current solo-founder phase, the founder holds all three internal roles and engages outside counsel when needed.

Sources monitored: application logs, auth logs, admin audit log, Stripe and email-provider alerts, cloud-provider security alerts, dependency-scan alerts, user reports to support@gearwaveapp.com, and rate-limit / abuse-detection signals. Anyone who suspects an Incident must email support@gearwaveapp.com immediately with subject line beginning "SECURITY:".

1. Triage (≤ 1 hour from detection): IC confirms whether the event is an Incident, assigns severity (Sev-1 customer data at risk / Sev-2 internal systems / Sev-3 minor), opens an incident record.
2. Contain (≤ 4 hours, Sev-1): revoke compromised credentials, rotate keys, disable affected accounts, block hostile IPs, isolate affected systems.
3. Eradicate: remove the root cause (patch, code fix, configuration change, removal of malicious data).
4. Recover: restore systems from known-good state, monitor for recurrence.
5. Notify: per Section 5.
6. Post-Incident Review (≤ 14 days): written root-cause analysis, corrective-action plan, lessons learned, policy updates.

For every confirmed Incident, the IC (with counsel for Sev-1) assesses:

• What data categories were exposed (name, email, phone, address, government ID, payment info, etc.)?
• How many individuals were affected, and in which jurisdictions?
• Was the data encrypted or otherwise unusable?
• Does the exposure meet the notification threshold under: each affected U.S. state breach-notice law, HIPAA (if applicable), GDPR/UK-GDPR Art. 33/34, and any contractual obligations to partners or insurers?

The IC documents the assessment and the decision (notify / no-notify) and retains it for at least 7 years.

• Regulators: within statutory windows (e.g. 72 hours under GDPR Art. 33; "without unreasonable delay" and state-specific deadlines under U.S. laws).
• Affected users: by email to the address on file, plus in-app banner, in clear non-technical language, including what happened, what data was involved, what Gear Wave is doing, what the user should do, and contact info.
• Payment-card networks / Stripe: per Stripe and card-network requirements when payment data is implicated.
• Insurer / partners: per contractual notification clauses, typically within 72 hours of confirmed Incident.
• Public statement: only if required by law or if user notification cannot be delivered individually.

Logs, system images, and other forensic evidence relating to an Incident are preserved unaltered for at least 7 years or longer if a legal hold is in effect.

This policy is reviewed at least annually. A tabletop exercise covering a simulated Sev-1 Incident is conducted at least once per calendar year and after any major architectural change.