Security Incident Response Policy
This Security Incident Response Policy describes how NumiSync ("we", "us") identifies, responds to, and communicates security incidents that may affect the personal data of our merchants or their customers.
1. Purpose
The purpose of this policy is to ensure that NumiSync responds to security incidents in a timely, organized, and effective manner that minimizes harm to affected parties and meets our obligations under applicable privacy law, including notification requirements under GDPR and applicable US state privacy laws.
2. What Constitutes a Security Incident
A security incident is any event that results in or may result in:
- Unauthorized access to personal data stored in NumiSync systems
- Accidental or unlawful destruction, loss, alteration, or disclosure of personal data
- A breach of our database, application, or infrastructure systems
- Unauthorized access to merchant accounts or API credentials
- Exposure of data through misconfiguration, vulnerability, or third-party provider incident
3. Response Timeline
Detection & Containment
Upon becoming aware of a potential incident, immediately assess scope and contain the threat. Revoke compromised credentials, restrict access as needed, and preserve logs for investigation.
Initial Assessment
Determine whether personal data was accessed or exposed. Identify which merchants and/or end customers may be affected. Document the nature and scope of the incident.
Merchant Notification
Notify all affected merchants by email within 72 hours of confirming the incident. Notification will include: nature of the incident, categories and approximate number of records affected, likely consequences, and steps being taken to address it.
Regulatory Notification
Where required by applicable law (including GDPR Article 33), notify the relevant supervisory authority within 72 hours of becoming aware of the breach.
Remediation & Review
Implement fixes to address the root cause. Conduct a post-incident review to identify process improvements. Update security measures as needed. Provide follow-up communications to affected merchants as new information becomes available.
4. Notification Content
Merchant notifications will include, to the extent known at the time:
- A description of the nature of the incident
- The categories of personal data involved
- The approximate number of records affected
- The likely consequences of the incident
- Steps NumiSync has taken or proposes to take to address the incident
- Contact information for questions
5. Preventive Measures
NumiSync maintains the following security controls to reduce the risk of incidents:
- Encryption in transit — all data transmitted over HTTPS/TLS
- Encryption at rest — all data encrypted by Supabase's database layer
- Row-level security — database policies ensure merchants can only access their own data
- Automated backups — Supabase automated daily backups with point-in-time recovery
- Access control — administrative access limited to authorized personnel only
- Dependency monitoring — regular review of third-party dependencies for known vulnerabilities
6. Reporting a Security Concern
If you believe you have discovered a security vulnerability in NumiSync, please report it responsibly to ethan@numisync.app. We will acknowledge receipt within 24 hours and work to address confirmed vulnerabilities promptly.
Please do not publicly disclose potential vulnerabilities before we have had an opportunity to investigate and respond.
7. Policy Review
This policy will be reviewed at least annually and updated as necessary to reflect changes in our systems, applicable law, or industry best practices.