Incident Response Policy

How we detect, respond to, and recover from security incidents

SafeClass Shield · Last Updated: June 1, 2026

SOC 2 CC7ISO 27001 A.5.26FERPA 34 CFR 99GDPR Art. 33-34
This Incident Response Policy defines how SafeClass Shield detects, responds to, investigates, and recovers from security incidents — including data breaches, system compromises, and violations of this policy. Our goal is to minimize harm, preserve evidence, and restore trust.

1. Scope

This policy applies to all security incidents affecting SafeClass Shield systems, data, or operations, including:

  • Unauthorized access to systems or data
  • Personal data breaches (accidental or intentional)
  • Ransomware, malware, or denial-of-service attacks
  • Insider threats or misuse of access
  • Loss or theft of physical devices containing data
  • Compromise of third-party sub-processors affecting our data
  • Detection of CSAM or illegal content
  • Vulnerability exploitation in production systems

2. Incident Severity Levels

P1 — Critical
Response: 1 hourNotify: 24 hours

Confirmed data breach · Ransomware · CSAM detection · Mass account compromise

P2 — High
Response: 4 hoursNotify: 48 hours

Suspected breach · Service unavailability > 1hr · Targeted attack · PII exposure

P3 — Medium
Response: 24 hoursNotify: 72 hours

Single account compromise · Failed intrusion attempt · Abnormal access patterns

P4 — Low
Response: 72 hoursNotify: As applicable

Policy violation by staff · Minor configuration issue · Low-risk vulnerability found

3. Incident Response Team

The Incident Response Team (IRT) consists of:

Incident Commander
Leads response — escalates to CEO for P1/P2
Security Engineer
Technical investigation and containment
Data Protection Officer
Regulatory notifications and FERPA/GDPR compliance
Legal Counsel
Preservation obligations, regulatory guidance
Communications Lead
Customer, partner, and public communications
Engineering Lead
System recovery and remediation

4. Response Phases

Phase 1 — Identification

  • Alert triggered by monitoring system, employee report, or third-party notification
  • On-call engineer confirms the alert is a genuine incident (not false positive)
  • Incident ticket created with initial severity classification
  • Incident Commander notified and IRT assembled based on severity

Phase 2 — Containment

  • Immediate containment: isolate affected systems, revoke compromised credentials
  • Short-term containment: apply patches, block attack vectors, preserve evidence
  • Evidence preservation: forensic snapshots of affected systems before any changes
  • Block lateral movement: audit and restrict access across the environment

Phase 3 — Investigation

  • Root cause analysis: trace attack chain from initial vector to full impact
  • Scope assessment: identify all affected systems, data categories, and individuals
  • Timeline reconstruction: document exact sequence of events with timestamps
  • Impact assessment: quantify records affected and determine notification obligations

Phase 4 — Notification

  • P1/P2: Notify affected schools/parents within 24 hours of confirmed breach
  • GDPR: Notify supervisory authority within 72 hours (if EU data affected)
  • FERPA: Notify educational institutions within 24 hours of breach confirmed
  • Law enforcement: notify FBI/NCMEC as required for criminal incidents or CSAM
  • Regulatory: file required reports with FTC, state AGs, and sector regulators

Phase 5 — Recovery

  • Restore systems from clean backups after confirming threat elimination
  • Enhanced monitoring deployed for 30 days post-incident
  • Credential rotation for all affected accounts
  • Third-party penetration test ordered within 60 days

Phase 6 — Post-Incident Review

  • Lessons learned meeting within 14 days of incident closure
  • Incident report prepared documenting root cause, impact, and remediation
  • Policy and control updates implemented based on findings
  • Board/executive briefing for all P1 incidents

5. Notification Templates and Timelines

RecipientTimelineChannelLegal Basis
Affected Parents/Users24 hours (P1/P2)Email + In-app notificationContractual / State laws
Affected Schools24 hours confirmed breachDirect email to IT contactFERPA 34 CFR 99
EU Data Supervisory Authority72 hoursRegulatory portal / emailGDPR Art. 33
EU Data SubjectsWithout undue delay (high risk)EmailGDPR Art. 34
FBI / Law EnforcementImmediately for criminal actsDirect reportFederal law
NCMEC CyberTiplineImmediately for CSAMcybertipline.org18 U.S.C. § 2258A
State AGsPer state law (typically 30–72hr)Regulatory filingState breach laws
Insurance ProviderWithin 48 hours (P1/P2)Phone + emailPolicy requirement

6. Evidence Preservation

  • Forensic snapshots of all affected systems must be taken before any remediation
  • Logs must be exported and stored in a tamper-evident format
  • Chain of custody documentation is required for all evidence collected
  • Evidence must be retained for a minimum of 3 years or until legal proceedings conclude
  • Physical media must be stored in a locked, access-controlled location

7. Reporting an Incident

If you discover or suspect a security incident, report it immediately. Do not attempt to investigate or contain it yourself.
Emergency Security Hotline
security@safeclassshield.com
Monitored 24/7
General Support
support@safeclassshield.com
Business hours
Data Protection Officer
dpo@safeclassshield.com
48hr response

8. Testing and Review

  • This policy is reviewed and updated annually by the DPO and CISO
  • Tabletop incident response exercises are conducted bi-annually
  • Penetration tests are conducted annually to validate detection and response capabilities
  • All employees complete incident response awareness training annually
  • Post-incident reviews feed back into policy updates within 30 days
Privacy PolicyTerms of ServiceDPAChildren ProtectionData RetentionIncident ResponseTrust Center
compliance@safeclassshield.com