GoRefer Trust Center
Incident Response
Updated April 2026
GoRefer maintains a documented Incident Response Plan (IRP) aligned with industry best practices and NIST SP 800-61r2. Our on-call engineering and security team responds to incidents 24/7, with tiered SLAs based on severity.
Incident Severity Levels & SLAs
Updated April 2026
| Severity | Definition | Initial Response | Target Resolution | Customer Notification |
|---|---|---|---|---|
P0 – Critical | Active breach, data exfiltration, complete service outage | 15 minutes | 4 hours target | Customer + status page update within 1 hour |
P1 – High | Significant data exposure risk, major feature outage, auth bypass | 1 hour | 24 hours target | Status page update + email to affected customers within 4 hours |
P2 – Medium | Limited data exposure, feature degradation, suspicious activity confirmed | 4 hours | 72 hours target | Status page update within 8 hours; customer email if data is involved |
P3 – Low | Minor vulnerability, no immediate data risk, isolated issue | 24 hours | 2-week sprint | Internal tracking; customer notification at discretion |
GDPR 72-hour notification obligation
For incidents involving personal data of EU/EEA residents that are likely to result in a high risk to individuals, we notify the supervisory authority within 72 hours of becoming aware, as required by GDPR Article 33. Affected data subjects are notified without undue delay where required under Article 34.
Incident Response Process
Updated April 2026
1. Detection
Automated alerts (Sentry, uptime monitors, CloudWatch)
Customer or bug bounty reporting
Internal security audit findings
Threat intelligence feeds
2. Containment
Isolate affected systems
Revoke compromised credentials
Block malicious IPs
Preserve forensic evidence
3. Eradication
Root cause analysis
Patch or configuration fix
Rekey affected secrets
Re-test affected surface
4. Post-Mortem
Written post-mortem within 7 days
RCA documented in incident register
Process improvements identified
Findings shared with customers if relevant
Customer Notification Policy
Updated April 2026
What We Notify You About
Any confirmed or suspected unauthorized access to your firm's data
Data breaches affecting your clients' PII
Service outages exceeding 30 minutes
Material changes to security practices that may affect your compliance obligations
How We Notify You
Email to firm admin accounts listed on the account
In-app banner notification on next login
Status page update at status.gorefer.io
Direct phone call to firm admin for P0/P1 incidents affecting your firm
Report a Security Incident
Updated April 2026
If you believe you have discovered a security vulnerability or are aware of a security incident affecting GoRefer, please report it immediately using the form below. We acknowledge all reports within 24 hours.