← Trust Center

Incident Response & Breach Notification

How Inventifornia detects, contains, investigates, and notifies Customers of security incidents.

Last updated: June 23, 2026

1. Scope

This plan covers security incidents affecting Inventifornia production systems and Customer data hosted in the Service, including unauthorized access, data breach, service compromise, and credential exposure.

2. Breach notification commitment

If Inventifornia confirms a Security Incident that results in unauthorized access to, acquisition of, or disclosure of Customer Personal Information or Input Data, Inventifornia will:

  • Notify the Customer's designated administrator(s) within 72 hours of confirmation
  • Describe the nature of the incident, categories of data affected, and known scope
  • Describe remediation steps taken and recommended Customer actions
  • Provide updates as material facts become known

Notification is sent to the email address on the Customer's primary admin account and, when provided, a security contact address. Customers may designate a security contact at security@inventifornia.com.

3. Response phases

  1. Detection & triage — Automated alerts (failed login spikes, permission probes), customer reports, and internal monitoring. Severity classified as low / medium / high / critical.
  2. Containment — Isolate affected systems, revoke compromised credentials, block malicious IPs, rotate secrets if warranted.
  3. Investigation — Determine root cause, timeline, data categories affected, and tenants impacted. Preserve audit logs and relevant evidence.
  4. Remediation — Patch vulnerabilities, force session invalidation (`authEpoch` bump), restore from backup if needed.
  5. Notification — Customer notice per Section 2; regulatory notice if Inventifornia is legally required as controller.
  6. Post-incident review — Document lessons learned and implement preventive controls within 30 days for high/critical incidents.

4. Customer responsibilities

  • Maintain unique user accounts; do not share credentials
  • Report suspected incidents to security@inventifornia.com promptly
  • Cooperate with investigation (provide logs, confirm affected users)
  • Do not submit Prohibited Data per the Operational Data Boundary

5. Vulnerability disclosure

Security researchers may report vulnerabilities privately per SECURITY.md. We acknowledge reports within 3 business days and aim to remediate critical issues within 30 days.

Trust CenterTerms & ConditionsPrivacy PolicyCookie PolicyAcceptable Use PolicyOperational Data BoundaryData Processing Addendum