MarvelPixel Security Incident Response Policy

1. Purpose

The purpose of this Security Incident Response Policy is to define the procedures and responsibilities for detecting, reporting, assessing, and responding to security incidents that may affect the confidentiality, integrity, or availability of MarvelPixel’s systems, networks, or customer data.

2. Scope

This policy applies to all employees, contractors, and third parties with access to MarvelPixel’s systems and infrastructure, including but not limited to:

  • Web applications and APIs

  • Customer-installed JavaScript pixels

  • Reverse proxy servers

  • Data stores and analytics pipelines

3. Definitions

Security Incident: Any attempted or actual unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations.

Personal Data Breach (as per GDPR): A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data.

4. Responsibilities

Security Officer: Owns and oversees the incident response process.

  • Engineering Team: Supports technical investigation and containment.

  • Data Protection Officer (DPO): Assesses regulatory impact and coordinates reporting to authorities and customers.

All Staff: Must report suspected incidents immediately.

5. Incident Response Process

5.1 Identification

  • Continuous monitoring tools detect unusual activity.

  • Employees and partners are trained to report suspicious behavior.

5.2 Reporting

  • All incidents must be reported immediately to hello@marvelpixel.io.

  • A preliminary report must be created within 2 hours.

5.3 Triage and Classification

Incidents are classified by severity:

  • Low: No impact to customer data.

  • Medium: Potential exposure or minor operational impact.

  • High: Confirmed data breach or service compromise.

5.4 Containment and Mitigation

  • Short-term: Isolate affected systems.

  • Long-term: Patch vulnerabilities, update systems, and reset credentials as needed.

5.5 Eradication and Recovery

  • Remove threats from all systems.

  • Restore systems from clean backups.

  • Validate integrity and functionality.

5.6 Notification

If personal data is involved:

  • Notify the supervisory authority (e.g., Dutch DPA) within 72 hours.

  • Notify affected customers “without undue delay,” including:

    • Nature of the breach

    • Contact details of DPO

    • Likely consequences

    • Measures taken

5.7 Post-Mortem

  • Conduct within 5 business days of resolution.

  • Document lessons learned.

  • Update this policy or systems if necessary.

6. Documentation
  • All security incidents are logged and maintained for a minimum of 5 years.

  • Records include date/time, nature of incident, actions taken, and lessons learned.

7. Legal and Regulatory Compliance

MarvelPixel complies with:

  • General Data Protection Regulation (GDPR)

  • California Consumer Privacy Act (CCPA)

Applicable cybersecurity frameworks (e.g., ISO/IEC 27001, NIST CSF)

8. Policy Review

This policy is reviewed annually or after any major incident. Approved changes are documented and communicated to all staff.

Camperstraat 42,

1091 AH Amsterdam

Copyright © 2025 Marveltest B.V

Pixel Operational

Camperstraat 42,

1091 AH Amsterdam

Copyright © 2025 Marveltest B.V

Pixel Operational

Camperstraat 42,

1091 AH Amsterdam

Copyright © 2025 Marveltest B.V

Pixel Operational