Incident Response Playbook
Last updated: 2026-05-26
1. Purpose
This is the public version of Nexus Legal's incident response playbook. It exists so that any customer, regulator or partner can verify what we commit to before signing a contract — rather than relying on a private SLA document. The full internal procedure (runbook, contact tree, escalation paths) is available under NDA at security@nexusquantum.legal.
2. Severity levels and committed response
| Level | Definition | Response |
|---|---|---|
| P1 | Active data breach. Unauthorised access to customer data, ransomware, key exfiltration. | Less than 1 hour All hands on deck until contained. |
| P2 | Production-wide outage. API completely down, database unreachable, authentication broken for all tenants. | Less than 2 hours Status page updated; rollback or hot-fix. |
| P3 | Partial degradation. One feature degraded (e.g. citation verification slow), a single tenant impacted. | Less than 8 business hours Next deploy window with documented fix. |
| P4 | Low-impact issue or potential vulnerability. Reproducible defect with workaround, responsible disclosure report. | Less than 3 business days Scheduled into the next sprint. |
3. Notification windows
- Customers affected: notified in less than 24 hours of an incident being confirmed. Notification is sent to the technical and security contacts on file plus an in-app banner for end users.
- Data Protection Authority: notified in less than 72 hours of a personal-data breach being confirmed, in line with GDPR Art. 33.
- Data subjects: notified directly when the breach is likely to result in a high risk to their rights and freedoms (GDPR Art. 34), within the same window applicable to the breach class.
- Status page: updated for any P1 or P2 incident with real-time situation updates until resolution.
4. Lifecycle
- Detection. Sentry, on-call paging, customer report or responsible disclosure.
- Triage. Severity assigned within 30 minutes of detection.
- Containment. Rollback, key rotation, traffic isolation as required.
- Eradication. Root cause fixed and verified in staging.
- Recovery. Production restored with monitoring on the affected surface.
- Notification. Customers and authorities notified per Section 3.
- Post-mortem. Within 5 business days of resolution. Blameless. Shared with affected customers on request.
5. Reporting an incident or vulnerability
Send a description to security@nexusquantum.legal. For responsible disclosure use the subject line "Responsible Disclosure". We acknowledge within 72 hours and provide a remediation timeline within 7 days. We do not pursue legal action against good-faith researchers.
6. Authoritative version
This document is authoritative in English. Translations may be provided for convenience but the English text governs.
Quantum Nexus Ventures FZCO · Dubai Silicon Oasis, UAE · security@nexusquantum.legal