Incident Response Policy

1. Purpose & Scope

Vexor maintains a formal Security Incident Response Program to protect users, creators, partners, and internal systems from security threats and to comply with legal and regulatory obligations (including GDPR, ePrivacy, and applicable national data protection laws).

This policy applies to:

• All Vexor production systems, applications, and infrastructure
• User data and creator data processed by Vexor
• Internal tools and administration interfaces
• Third-party service providers handling Vexor data
• All employees, contractors, and trusted operations staff

2. Definitions

For the purposes of this policy:

• Security Incident: Any event that may compromise the confidentiality, integrity, or availability of systems or data, or that violates Vexor's security policies.
• Data Breach: A confirmed incident where personal or confidential data is accessed, disclosed, altered, or destroyed without authorization.
• Critical Event: A high-severity incident impacting core services, user trust, safety, or legal obligations (e.g., large-scale compromise, service outage, or regulatory breach).

3. Incident Categories

Vexor classifies incidents into categories to determine response priority and actions:

• Unauthorized Access: Suspicious logins, account takeovers, or access to systems without authorization.
• Data Breaches or Leaks: Exposure of user data, credentials, or internal records.
• Malware, Intrusions & Exploits: Malware infections, exploitation of vulnerabilities, or lateral movement inside infrastructure.
• System Failures & Outages: Infrastructure or application failures impacting availability and data integrity.
• Compromised Accounts: Takeover of user, creator, staff, or admin accounts.
• Content Safety Escalations: Security-related content issues (e.g., mass phishing campaigns, malicious links, or systemic abuse) that require coordinated incident handling.
• Third-Party / Vendor Incidents: Incidents originating at service providers that may affect Vexor data or services.

4. Detection & Monitoring

Vexor uses a combination of automated tools, manual review, and external reports to detect and monitor potential incidents:

• Intrusion detection and prevention systems (IDS/IPS)
• Real-time anomaly and behavioral monitoring across infrastructure and applications
• Automated abuse and fraud detection for accounts, payments, and logins
• Access log analysis and credential misuse monitoring
• 24/7 security alerts and on-call rotation for security engineers
• Bug bounty and vulnerability disclosure reports from external researchers

All suspected incidents are logged, triaged, and routed to the appropriate security and operations teams for further analysis.

5. Roles & Responsibilities

Vexor maintains a dedicated incident response structure:

• Security Operations Team (SecOps): Leads technical investigation, triage, containment, and remediation.
• Incident Commander: Assigned per incident to coordinate teams, decisions, and communication.
• Engineering Teams: Provide system expertise, patching, fix deployment, and infrastructure changes.
• Data Protection Officer (DPO): Oversees data protection compliance, regulatory reporting, and GDPR-related assessment.
• Legal & Compliance: Coordinates law enforcement, regulatory notifications, and contractual obligations.
• Communications / PR: Prepares user notifications and public statements when required.
• Customer Support & Trust & Safety: Handles user-facing inquiries, support tickets, and safety-related escalations.

6. Incident Severity Levels

Incidents are assigned a severity level to prioritize response:

• Severity 1 (Critical): Large-scale data breach, major service disruption, active exploitation, or imminent harm to users.
• Severity 2 (High): Confirmed compromise of a subset of users or systems with elevated risk.
• Severity 3 (Medium): Limited exposure, attempted but unsuccessful intrusions, or contained abuse.
• Severity 4 (Low): Minor anomalies, policy deviations, or low-risk issues requiring monitoring and remediation.

7. Incident Response Lifecycle

Vexor follows a structured, repeatable lifecycle for all confirmed incidents:

7.1 Identification

The Security Operations Team validates alerts, correlates logs, and confirms whether an incident is genuine. Once confirmed, an Incident Ticket is opened and assigned a severity level.

7.2 Containment

The goal of containment is to stop ongoing harm and prevent further compromise:

• Blocking malicious IPs, sessions, or access tokens
• Disabling compromised accounts or credentials
• Isolating affected servers or network segments
• Temporarily suspending risky features (e.g., a specific upload flow, payment function)

7.3 Eradication

After containment, teams identify and remove root causes:

• Removing malware or malicious code
• Patching vulnerabilities and misconfigurations
• Rotating keys, credentials, and access tokens
• Revoking unauthorized access and restoring secure baselines

7.4 Recovery

Once systems are secure, Vexor restores full service:

• Bringing affected services and infrastructure back online safely
• Restoring data from backups where necessary
• Monitoring post-incident for recurring anomalies
• Gradually lifting temporary restrictions with risk checks

7.5 Disclosure & Communication

Where legally required or appropriate for transparency, Vexor:

• Notifies affected users with clear, actionable information
• Provides guidance on protective steps (e.g., password reset, scam awareness)
• Informs regulators and authorities within mandated timeframes
• Documents the incident and publishes high-level learnings in transparency reports where suitable

8. User Notification

If user data is affected by a confirmed breach or incident that poses a risk to rights and freedoms, Vexor will notify impacted users as soon as reasonably possible, and in accordance with applicable law.

Notifications may include:

• What happened and when
• What information is believed to be affected
• What actions Vexor has taken
• What steps users should take (e.g., changing passwords, enabling 2FA)
• How to contact Vexor for support or further clarification

9. Regulatory & Legal Notification

Vexor complies with data protection and breach-notification laws, including GDPR. For incidents involving personal data of EU/EEA users:

• Relevant Data Protection Authorities are notified within 72 hours of becoming aware of a qualifying breach, where required.
• Additional regulators (e.g., telecom/media authorities) may be notified depending on jurisdiction and impact.
• Documentation of the breach, analysis, and response is retained as required by law.

Legal and DPO teams coordinate and approve all regulatory communications to ensure accuracy and compliance.

10. Third-Party & Vendor Incidents

When a third-party provider or vendor used by Vexor experiences an incident that may impact Vexor users:

• Vexor requests full incident details, impact assessments, and remediation steps
• Risk to Vexor systems and data is assessed and mitigated
• Users and regulators are notified where Vexor is legally or contractually obligated to do so
• Vendor contracts and security assurances may be reevaluated

11. Logging, Forensics & Evidence Preservation

During an incident, Vexor may:

• Retain and secure relevant logs and system images
• Preserve evidence for regulatory, legal, or law enforcement needs
• Conduct forensic analysis in a controlled, auditable environment

Evidence handling follows strict chain-of-custody and least-access principles.

12. Post-Incident Review & Continuous Improvement

After resolving a significant incident, Vexor performs a structured post-incident review, which may include:

• Root cause analysis and contributing factors
• Control gaps and process failures
• Updates to policies, controls, or infrastructure
• Additional monitoring and alerting improvements
• Training and awareness enhancements for staff

Learnings are documented and integrated into ongoing security and risk management programs.

13. Testing & Drills

Vexor regularly conducts tabletop exercises, simulations, and red-team/blue-team exercises to:

• Test readiness of the incident response process
• Validate communication flows, roles, and responsibilities
• Identify weaknesses in detection and response capabilities

14. Reporting Security Incidents to Vexor

Users, partners, and security researchers are encouraged to report suspected security issues or incidents:

• Security Team: security@vexor.to
• Emergency Response (High-Risk / Active Exploit / Life Safety): emergency@vexor.to
• Bug Bounty / Vulnerability Disclosure: Refer to the Bug Bounty / Security Vulnerability Disclosure Policy.

15. Relationship to Other Policies

This Incident Response Policy operates in coordination with:

• Security Practices Disclosure
• Data Retention & Deletion Policy
• Bug Bounty / Vulnerability Disclosure Policy
• Law Enforcement Request Guide
• Crisis Safety & Self-Harm Prevention Policy
• Privacy Policy & GDPR Compliance Statement

16. Changes to This Policy

Vexor may update this Incident Response Policy from time to time to reflect changes in infrastructure, legal requirements, threat landscape, or best practices. Updated versions will be published with a revised effective date. Continued use of Vexor indicates acceptance of the updated policy.

17. Contact Information

For questions about this Incident Response Policy or security practices:

Security Team: security@vexor.to
Emergency Response: emergency@vexor.to
Data Protection Officer (DPO): dpo@vexor.to
Legal: legal@vexor.to