Incident Response Policy

Bridgit Platform (askbridgit.ca)
Version 1.0 | Effective: April 28, 2026 | Next Review: April 28, 2027

1. Purpose and Scope

This policy governs how Bridgit identifies, responds to, and recovers from security incidents affecting the platform, its infrastructure, and the data of its users and their organizations.

Applies to: All personnel with access to Bridgit production systems, source code, or cloud infrastructure (GCP project bridgit-staging-471916).

In scope: The Bridgit SaaS application (askbridgit.ca), its staging environment (staging.askbridgit.ca), underlying Cloud Run services, Cloud SQL databases, GCS storage, Redis instances, third-party API integrations, and all data processed through the platform.

Compliance mapping: ISO 27001 A.16.1, SOC 2 CC7.2-CC7.4, GDPR Art. 33-34, PIPEDA Breach of Security Safeguards Regulations.

2. Incident Classification

Severity Levels

P1 Critical

• Active data breach, system-wide compromise, ransomware, production database exposure
• Response time: Immediate (within 15 minutes)
• Escalation: Yes — all hands

P2 High

• Confirmed unauthorized access, significant data exposure, critical service failure, compromised API keys
• Response time: Within 1 hour
• Escalation: Yes

P3 Medium

• Suspicious activity, access anomaly, minor system compromise, policy violation
• Response time: Within 4 hours
• Escalation: No

P4 Low

• Informational, false positive investigation, minor policy deviation
• Response time: Within 24 hours
• Escalation: No

Incident Categories

Data exposure

• Cross-org data leakage in activity instances; JSONB data visible to wrong tenant; file storage URL enumeration

Unauthorized access

• RBAC bypass; JWT token reuse after logout; admin endpoint accessible to regular users; embed auth bypass

System compromise

• Cloud Run container compromise; Cloud SQL unauthorized access; GCP IAM escalation

Third-party incident

• Breach at OpenAI, Anthropic, Google, Cohere, Stripe, or Tavily affecting data sent via API

Credential exposure

• API keys committed to git; GCP Secret Manager misconfiguration; OAuth token leak

Service disruption

• Cloud Run outage; database connection exhaustion; Redis failure causing session loss

Phishing / social engineering

• Targeted attempts against platform administrators

3. Detection and Reporting

How to Report

All users and staff: Use the Report a Problem form within the platform (accessible from the user menu and help page). When marking "Could this involve a security or data privacy issue?", the form captures:

• Incident type and severity assessment (P1-P4)
• Whether personal or sensitive data was potentially exposed
• Description of exposure and immediate actions taken

Direct escalation (P1/P2 or if the platform is unavailable): Contact the Incident Response Lead directly via phone or personal email.

Automated detection: GCP Cloud Run logs, Cloud SQL audit logs, and application error monitoring surface anomalies. GDPR deletion jobs (process-deletions, deletion-reminders) run on Cloud Scheduler and log execution status.

Incident Response Lead

Role: Matthew Bromwich
Responsibilities: Triage all reported incidents, coordinate response, authorize containment actions, manage regulatory notifications.

Initial Triage

1. Receive report (Problem Report form submission or direct contact)
2. Verify the report — reproduce or confirm via logs
3. Assign severity (P1-P4) based on classification above
4. If P1/P2: begin containment immediately, notify all personnel with production access
5. If data exposure confirmed: start the 72-hour GDPR / PIPEDA notification clock
6. Log the incident in the breach register (see Section 6)

4. Response Procedures

4.1 Containment

Immediate actions by incident type:

Cross-org data leakage

• Identify the query/endpoint; deploy hotfix or disable the route; audit access logs for scope

Compromised API key

• Rotate the key immediately in GCP Secret Manager; redeploy affected Cloud Run service

Unauthorized access

• Revoke the user's JWT (Redis blacklist); disable the account; review audit trail

Cloud Run compromise

• Redeploy from known-good container image; rotate all secrets; review Cloud Run logs

Third-party breach

• Rotate affected API keys; assess what data was sent to the compromised service; notify affected users

Database exposure

• Restrict Cloud SQL authorized networks; rotate DB credentials; assess data scope

Evidence preservation: Before any destructive containment action (container redeployment, log rotation), capture:

• Cloud Run revision logs (gcloud logging read)
• Cloud SQL query logs
• Redis session state snapshot
• Application-level audit trail from activity_instances and related tables
• Screenshots or exports from the Problem Report submission

4.2 Eradication

• Identify root cause (code defect, misconfiguration, credential leak, dependency vulnerability)
• Develop and test fix on staging (staging.askbridgit.ca)
• Verify fix does not introduce regressions (npm run test:quick in api/, npm run lint in both api/ and frontend/)
• Deploy fix via GitHub Actions (code_only deployment for code fixes; schema_change_production_clone if DB changes needed)

4.3 Recovery

• Restore from backup if data integrity is compromised (pg_dump backups via scripts/prepare-deployment.sh)
• Validate restored data against known-good state
• Monitor Cloud Run logs and application behavior for 48 hours post-recovery
• Confirm all rotated credentials are propagated to both staging and production
• Declare incident resolved only after monitoring period passes clean

5. Breach Notification

Notification Triggers

A notification obligation is triggered when a security incident involves unauthorized access to, or exposure of, personal data. The dataExposed field in the Problem Report form is the initial indicator.

Timelines

GDPR Art. 33

• Obligation: Notify supervisory authority
• Deadline: 72 hours from awareness
• Who is notified: Relevant EU data protection authority

GDPR Art. 34

• Obligation: Notify affected individuals
• Deadline: Without undue delay (high-risk breaches only)
• Who is notified: Affected data subjects

PIPEDA RORFN

• Obligation: Notify Privacy Commissioner and affected individuals
• Deadline: As soon as feasible
• Who is notified: Office of the Privacy Commissioner of Canada and affected individuals

Provincial (e.g., Alberta PIPA, Quebec Law 25)

• Obligation: Varies by province
• Deadline: Generally "as soon as feasible"
• Who is notified: Provincial commissioner and affected individuals

Notification Content

All breach notifications must include:

• Description of the incident and data involved
• Date or period of the breach
• Steps taken to contain and remediate
• Contact information for further inquiries
• Recommendations for affected individuals (e.g., password changes)

Decision Authority

The Incident Response Lead determines whether notification thresholds are met. For PIPEDA, the test is "real risk of significant harm." For GDPR, the test is "risk to the rights and freedoms of natural persons." When in doubt, notify.

6. Breach Register

All incidents (including those that do not trigger notification) are logged with:

• Date and time of detection
• Source (Problem Report form submission ID, automated alert, or direct report)
• Classification (category and severity)
• Data involved and number of affected individuals (if applicable)
• Containment and remediation actions taken
• Notification decisions and dates
• Post-incident review outcome

The breach register is maintained as a dedicated activity within the Bridgit platform, providing audit trail, versioning, and access control.

7. Post-Incident Review

Timeline: Within 2 weeks of incident closure.

Process:

1. Reconstruct incident timeline from logs, Problem Report submissions, and communication records
2. Identify root cause (using 5 Whys or equivalent)
3. Document what worked and what didn't in the response
4. Define corrective actions with owners and deadlines
5. Update this policy, platform code, or infrastructure configuration as needed
6. If the incident revealed a gap in the Problem Report form or detection capability, update accordingly

Corrective actions are tracked to completion. Systemic issues (e.g., missing access controls, inadequate logging) are prioritized for the next development cycle.

8. Communication

Internal

P1-P2: Immediate notification to all personnel with production access; status updates every 2 hours until contained.
P3: Notification within 4 hours; daily updates until resolved.
P4: Logged; included in next regular review.

External

Affected users/organizations: Notified per Section 5 timelines if personal data is involved.
Third-party vendors: Notified if the incident originated from or affects their integration (e.g., AI provider, Stripe).
Regulators: Notified per Section 5 timelines.
Public/media: No public disclosure unless legally required or strategically appropriate; all external statements approved by the Incident Response Lead.

9. Platform-Specific Considerations

Data Architecture

Bridgit stores user-generated data in activity_instances as JSONB. The content varies by template — it may include health data, legal information, financial calculations, or personal identifiers depending on what the organization has configured. Incident scoping must account for the polymorphic nature of this data.

Multi-Tenancy

Organizations are logically isolated via organization_id on all data tables. A cross-org data leak (where Org A sees Org B's data) is automatically P2 or higher.

AI Integrations

Prompts and responses sent to external AI providers (OpenAI, Anthropic, Google, Cohere) may contain user data from activity instances. A breach at any provider requires assessing what data was transmitted. AI usage is logged in ai_usage_logs.

Infrastructure

Cloud Run (API + Frontend)

• Location: GCP northamerica-northeast1 (Montreal)
• Access control: IAM roles; GitHub Actions deployment

Cloud SQL (PostgreSQL 15)

• Location: GCP northamerica-northeast1
• Access control: Authorized networks; SSL; GCP Secret Manager credentials

Redis

• Location: Container (production)
• Access control: Internal network only

GCS (file storage)

• Location: GCP
• Access control: IAM; signed URLs

Secrets

• Location: GCP Secret Manager
• Access control: IAM; not in source code

Encryption

• OAuth tokens: AES-256-GCM at rest (application-level, via ENCRYPTION_KEY)
• Database connections: SSL in production
• HTTPS enforced on all public endpoints
• JWT tokens blacklisted on logout via Redis

10. Policy Administration

• Version: 1.0
• Effective Date: April 28, 2026
• Last Review: April 28, 2026
• Next Review: April 28, 2027
• Owner: Incident Response Lead
• Review Frequency: Semi-annually, or after any P1/P2 incident
• Approved By: (signature / name / date)

This policy is maintained alongside the platform source code and is subject to version control. Changes require review and re-approval.