1. Purpose
The purpose of this Security Incident Response Policy is to define the procedures and responsibilities for detecting, reporting, assessing, and responding to security incidents that may affect the confidentiality, integrity, or availability of MarvelPixel’s systems, networks, or customer data.
2. Scope
This policy applies to all employees, contractors, and third parties with access to MarvelPixel’s systems and infrastructure, including but not limited to:
Web applications and APIs
Customer-installed JavaScript pixels
Reverse proxy servers
Data stores and analytics pipelines
3. Definitions
Security Incident: Any attempted or actual unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations.
Personal Data Breach (as per GDPR): A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data.
4. Responsibilities
Security Officer: Owns and oversees the incident response process.
Engineering Team: Supports technical investigation and containment.
Data Protection Officer (DPO): Assesses regulatory impact and coordinates reporting to authorities and customers.
All Staff: Must report suspected incidents immediately.
5. Incident Response Process
5.1 Identification
Continuous monitoring tools detect unusual activity.
Employees and partners are trained to report suspicious behavior.
5.2 Reporting
All incidents must be reported immediately to hello@marvelpixel.io.
A preliminary report must be created within 2 hours.
5.3 Triage and Classification
Incidents are classified by severity:
Low: No impact to customer data.
Medium: Potential exposure or minor operational impact.
High: Confirmed data breach or service compromise.
5.4 Containment and Mitigation
Short-term: Isolate affected systems.
Long-term: Patch vulnerabilities, update systems, and reset credentials as needed.
5.5 Eradication and Recovery
Remove threats from all systems.
Restore systems from clean backups.
Validate integrity and functionality.
5.6 Notification
If personal data is involved:
Notify the supervisory authority (e.g., Dutch DPA) within 72 hours.
Notify affected customers “without undue delay,” including:
Nature of the breach
Contact details of DPO
Likely consequences
Measures taken
5.7 Post-Mortem
Conduct within 5 business days of resolution.
Document lessons learned.
Update this policy or systems if necessary.
6. Documentation
All security incidents are logged and maintained for a minimum of 5 years.
Records include date/time, nature of incident, actions taken, and lessons learned.
7. Legal and Regulatory Compliance
MarvelPixel complies with:
General Data Protection Regulation (GDPR)
California Consumer Privacy Act (CCPA)
Applicable cybersecurity frameworks (e.g., ISO/IEC 27001, NIST CSF)
8. Policy Review
This policy is reviewed annually or after any major incident. Approved changes are documented and communicated to all staff.