← Back

Incident Response Playbook

Last updated: 2026-05-26

1. Purpose

This is the public version of Nexus Legal's incident response playbook. It exists so that any customer, regulator or partner can verify what we commit to before signing a contract — rather than relying on a private SLA document. The full internal procedure (runbook, contact tree, escalation paths) is available under NDA at security@nexusquantum.legal.

2. Severity levels and committed response

LevelDefinitionResponse
P1Active data breach. Unauthorised access to customer data, ransomware, key exfiltration.Less than 1 hour
All hands on deck until contained.
P2Production-wide outage. API completely down, database unreachable, authentication broken for all tenants.Less than 2 hours
Status page updated; rollback or hot-fix.
P3Partial degradation. One feature degraded (e.g. citation verification slow), a single tenant impacted.Less than 8 business hours
Next deploy window with documented fix.
P4Low-impact issue or potential vulnerability. Reproducible defect with workaround, responsible disclosure report.Less than 3 business days
Scheduled into the next sprint.

3. Notification windows

  • Customers affected: notified in less than 24 hours of an incident being confirmed. Notification is sent to the technical and security contacts on file plus an in-app banner for end users.
  • Data Protection Authority: notified in less than 72 hours of a personal-data breach being confirmed, in line with GDPR Art. 33.
  • Data subjects: notified directly when the breach is likely to result in a high risk to their rights and freedoms (GDPR Art. 34), within the same window applicable to the breach class.
  • Status page: updated for any P1 or P2 incident with real-time situation updates until resolution.

4. Lifecycle

  1. Detection. Sentry, on-call paging, customer report or responsible disclosure.
  2. Triage. Severity assigned within 30 minutes of detection.
  3. Containment. Rollback, key rotation, traffic isolation as required.
  4. Eradication. Root cause fixed and verified in staging.
  5. Recovery. Production restored with monitoring on the affected surface.
  6. Notification. Customers and authorities notified per Section 3.
  7. Post-mortem. Within 5 business days of resolution. Blameless. Shared with affected customers on request.

5. Reporting an incident or vulnerability

Send a description to security@nexusquantum.legal. For responsible disclosure use the subject line "Responsible Disclosure". We acknowledge within 72 hours and provide a remediation timeline within 7 days. We do not pursue legal action against good-faith researchers.

6. Authoritative version

This document is authoritative in English. Translations may be provided for convenience but the English text governs.

Quantum Nexus Ventures FZCO · Dubai Silicon Oasis, UAE · security@nexusquantum.legal