Legal / Compliance

Incident response.

How Hydrate detects, contains, and learns from security incidents. Covers the full response lifecycle from detection through post-incident review.

Version 1.0 · Effective: 2026-04-24 · Next review: 2027-04-24 · Owner: Seamus Waldron · Covers: SOC2 CC7, GDPR Art.33/34

Scope

This plan applies to any security incident affecting Hydrate products: the hydrate-server binary, hook binaries, cloud licensing service, gethydrate.dev, and the Mac Mini production infrastructure. It covers all tiers: Free, Pro, and Enterprise.

Severity classification

Severity	Definition	Examples
P1 Critical	Active data breach, confirmed unauthorised access to user data, ransomware	DB exfiltration, compromised signing key, supply-chain compromise
P2 High	Suspected breach, significant service disruption, credential leak in codebase	Leaked API key in public repo, hydrate-server crash loop in production
P3 Medium	Vulnerability discovered, no confirmed exploitation	CVE in dependency, config misconfiguration caught in audit
P4 Low	Security policy violation, near-miss, requires tracking	Debug log with PII, weak default in non-critical path

Detection sources

Response procedure

Contain

Target: within 1 hour of detection for P1/P2

Identify the affected system and isolate if possible
Compromised signing key or API credential: rotate immediately; revoke all previously signed artefacts if key is confirmed leaked
Active breach of production infrastructure: take the affected service offline; restore from backup when clean
Do not delete logs or artefacts; preserve evidence

Responsible: Seamus Waldron (primary), David Bosdet (backup)

Assess

Target: within 4 hours for P1/P2

Determine: what data was accessed or exfiltrated, which users are affected, when the incident began
Classify severity using the table above
Document findings in the incident log (private GitHub issue or shared doc)

Notify

Internal immediately; users within 24h; ICO within 72h if GDPR applies

Internal: Seamus and David informed immediately on P1/P2 discovery.

Users: For P1/P2 incidents where user data is confirmed or likely affected, notify affected users by email within 24 hours of confirmation.

User notification template

Subject: Security notice from Hydrate

We are writing to inform you of a security incident that may have affected your Hydrate data. [Brief description of what happened, what data was involved, what we have done.] We recommend [specific action]. Contact [email protected] with questions.

Regulatory (GDPR Art.33): If the incident involves personal data of EU/UK residents, notify the relevant supervisory authority (ICO for UK; lead SA for EU users) within 72 hours of becoming aware. Notification is not required if the breach is unlikely to result in risk to individuals.

Remediate

Apply fix: patch, revoke credential, rotate key, remove compromised binary from release
Re-run full test suite and govulncheck before re-deployment
Verify the fix closes the attack vector

Post-incident review

Within 2 weeks of resolution

Document: timeline, root cause, what was missed, what worked
Identify one or more process improvements
Update this plan if the response procedure was inadequate

Contact list

Role	Name	Contact
Primary responder	Seamus Waldron	[email protected]
Secondary responder	David Bosdet	[email protected]
Security disclosure	N/A	[email protected]
ICO (UK data breach reporting)	N/A	[email protected]

Incident log

Incidents are recorded as private GitHub issues in the sedasoft organisation under the label security-incident. Each issue captures: date detected, severity, timeline, affected data, actions taken, resolution, and post-incident findings. Retained for 3 years.