Incident Response and Breach Notification
How TurboFinOps detects, contains, communicates and learns from security and availability incidents. Aligned with GDPR Article 33 and the obligations in our Data Processing Agreement.
Report a suspected incident. Email security@turbofinops.com for active customer impact, suspected tenant exposure or compromised credentials. For ongoing platform availability, follow /status.
The six phases
1. Detect
Alerts from Sentry, infrastructure monitors, internal anomaly checks or customer reports route to the on-call engineer. Suspected security incidents are escalated to the security responder within 30 minutes.
2. Triage and classify
Initial triage classifies severity (P1–P4) based on customer impact, data exposure risk and scope. P1 events trigger the incident command process and a dedicated coordination channel.
3. Contain
Containment actions may include revoking credentials, isolating affected scopes, rolling keys, disabling features or scaling protection. The conflict-guard and audit trail capture every containment action.
4. Notify
Affected customers and, where applicable, supervisory authorities are notified within the timelines below. Status communications are mirrored on /status. Customers under an active DPA receive a written notice including known scope, impact and mitigations.
5. Eradicate and recover
Root cause is removed, integrity of remaining systems is verified, restored services are validated against runtime health checks, and customer-side replays or backfills are coordinated where applicable.
6. Post-incident review
A blameless post-incident review is completed within 14 days. For P1 events a customer-facing summary is published describing impact, root cause, actions taken and durable fixes scheduled.
Severity classification and SLAs
| Severity | Definition | Internal response | Customer notification |
|---|---|---|---|
| P1 — Critical | Confirmed breach, data exposure or platform outage affecting all customers | On-call paged immediately | Customer notice ≤ 72 h from confirmation (GDPR Art. 33). Affected customers contacted directly. |
| P2 — High | Significant impact on a subset of customers or partial loss of a core capability | On-call paged within 30 minutes | Customer notice within 5 business days for tenants with material impact. |
| P3 — Medium | Degraded performance, limited-scope issue, or near-miss with no exposure | Engineering response next business day | /status updated as needed. No individual customer notice required. |
| P4 — Low | Internal-only or informational findings without customer impact | Tracked through normal engineering workflow | No external communication. |
Customer notice contents
- Nature of the incident and the date and time of detection.
- Categories and approximate number of data subjects and records concerned, where known.
- Likely consequences and the mitigations applied or recommended.
- Name and contact details of the security responder for follow-up.
- Where the full scope is not yet known, an initial notice will be sent with information available, followed by updates as the investigation progresses.
Regulatory reporting
Where TurboFinOps acts as a data processor on behalf of a Customer (the controller), the Customer remains responsible for any notification to supervisory authorities or data subjects under GDPR Article 33 and 34. We will support the Customer's obligation by providing the information described above without undue delay.
For incidents affecting personal data for which TurboFinOps is the controller (for example, account holder data), we will notify the competent supervisory authority within 72 hours of becoming aware, in accordance with applicable law.
Related
Find recoverable spend before the next invoice lands.
Connect one AWS, Azure or GCP scope, approve the safest savings actions, and give finance a receipt when the savings verify.