Incident Response

1. Program overview

GenZHook operates a 24×7 security incident-response program aligned with NIST SP 800-61r2 and ISO/IEC 27035. A written runbook defines severity classification, roles (Incident Commander, Comms Lead, Scribe), communication channels, and escalation paths.

2. Severity matrix

3. Notification timelines

• Regulators: within 72 hours of becoming aware of a personal-data breach (GDPR Art. 33; UK GDPR; Swiss FADP).
• Affected users: without undue delay when a breach is likely to result in high risk to rights and freedoms (GDPR Art. 34). Typically within the same 72-hour window.
• Enterprise customers: per their MSA/DPA; default 72 hours via dedicated contact.
• Status page: updated in real-time for availability incidents.

4. What a notification contains

• Nature of the incident and categories/approximate volume of data subjects affected
• Likely consequences
• Measures taken or proposed to address the incident and mitigate effects
• Contact point for further information (DPO or equivalent)

5. Forensics & evidence

Logs are immutable, signed, and retained for 365 days. Snapshots of affected systems are preserved for forensic analysis. Where law-enforcement cooperation is required, we preserve a chain of custody and respond only to valid legal process (subpoena, court order, MLAT).

6. Post-incident review

Every SEV-1 and SEV-2 incident is followed by a blameless post-mortem within 14 days. A sanitized summary is published to enterprise customers under NDA; root-cause-and-action-items are tracked to closure in our engineering backlog.

7. Customer responsibilities

• Keep your account email and (optionally) a security contact up to date in Settings.
• Use strong, unique passwords and enable 2FA once available.
• Report anomalies to security@genzhook.com.

8. Business continuity

Daily encrypted Postgres backups are retained for 30 days and tested quarterly. Database failover RTO < 1 hour, RPO < 5 minutes. A documented disaster-recovery plan is reviewed annually.

9. Owner's Reservation of Rights

The processes, severities, timelines, and SLAs described above are operational practices the Owner may modify at any time. The Owner reserves the absolute, exclusive, and unfettered discretion, with or without prior notice and without liability, to add, change, restructure, or remove any incident-response procedure, severity-class, target time, communication channel, or notification path; to modify, restructure, or replace this Incident Response page or any related policy at any time with effect upon posting (subject only to legally-required minimum notice — for example, the GDPR Art. 33 72-hour rule, which we will continue to honor); and to add, change, restrict, suspend, or discontinue any feature, plan, integration, price, fee, FX rate, credit weight, quota, discount, coupon, reward, or facility — partially or fully — pursuant to the Universal Reservation of Rights in Terms of Service section 1.1, the Authorized-Use License in section 1.2, the Benefits Reservation in section 1.3, the Dynamic Pricing & FX clause in section 1.4, and the Comprehensive Owner Protections in section 18, and the No-Refund Policy are incorporated into this page in full. No incident, breach, downtime, outage, missed SLA target, delayed notification, or any other event gives rise to any refund, credit-back, pro-rated reimbursement, alternative compensation, SLA payout, service credit, or fee waiver of any kind. You waive any claim to refund, credit-back, pro-rated rebate, alternative compensation, or specific performance arising from the exercise of these rights or from any such event, except only where applicable mandatory law preserves an unwaivable right and only to the absolute minimum the law requires.