Legal
Incident response
Last updated: June 2026 · Public version. Internal runbooks reference this policy.
A security incident is any confirmed or suspected event that affects the confidentiality, integrity, or availability of customer data or the re.fer service. This page describes how re.fer detects, triages, communicates, and learns from incidents.
Detection sources
Supabase alerts
Anomalous query patterns, failed authentication storms, replication lag, and row-level security violations are routed to the on-call channel.
Vercel runtime monitoring
Error rate spikes, latency regressions, and edge function failures page the on-call responder.
Upstash rate-limit anomalies
Unexpected rate-limit hits at workspace level or IP level surface in the on-call dashboard.
Dependency scanners
CI blocks deploy on a new critical or high CVE in the production lockfile and pages on out-of-band advisories.
Customer and researcher reports
Email to security@userefer.app is monitored during business hours and routed to on-call after hours through PagerDuty.
Severity classification
| Tier | Meaning | Response |
|---|---|---|
| SEV-1 | Confirmed personal data breach, confirmed cross-tenant data exposure, or full production outage. | Page on-call inside 15 minutes 24/7. Incident commander assigned. Customer-facing status posted within 1 hour. |
| SEV-2 | Partial production outage, suspected data exposure pending verification, or a critical CVE in production. | Page on-call inside 30 minutes 24/7. Status updates every 2 hours until mitigated. |
| SEV-3 | Degraded service, non-critical CVE, or single-customer impact without data risk. | Routed to the on-call queue. Mitigated during business hours. Communicated to the affected customer directly. |
Notification SLAs
For confirmed personal data breaches, re.fer follows the 72-hour notification window set out in Article 33 of the GDPR.
| Event | SLA |
|---|---|
| Acknowledge SEV-1 page | 15 minutes, 24/7 |
| Customer status page first update for SEV-1 or SEV-2 | Inside 1 hour of confirmation |
| Notify affected customers of a confirmed personal data breach (GDPR Article 33) | 72 hours of confirmation |
| Notify the relevant supervisory authority where required | 72 hours of awareness |
| Publish a post-mortem to affected customers | 14 days from resolution |
Customer communication channels
Primary channel: email to each affected workspace’s designated owner and admin addresses. Secondary channel: an in-product banner that surfaces inside the workspace until acknowledged. Public channel: the status page at status.userefer.app for incidents that touch service availability. Security researcher channel: security@userefer.app, also published at /.well-known/security.txt.
Post-mortem commitment
Every SEV-1 and SEV-2 incident gets a written post-mortem within 14 days of resolution. Affected customers receive a copy that covers the timeline, the root cause, the customer-visible impact, and the concrete follow-up actions, with owners and target dates. Where confidential detail must be redacted, we say what was redacted and why.
See also: Security whitepaper · DPA · Subprocessors · Data retention · security.txt