Incident Response

VaultPDF incident response procedures, severity levels, and customer notification timelines for CISO and operations teams.

Last updated: 2026-05-31. Version: 1.0.

This document defines the incident response procedure for security incidents affecting VaultPDF-operated infrastructure (Licensing API, eSign Portal) and provides guidance for customers responding to incidents in their own deployments.

Scope

Scope	Responsible party
Incident in VaultPDF Licensing API or eSign Portal	VaultPDF security team
Incident in customer's Azure deployment (Isolated Azure Functions, Azure Blob Storage, Azure Key Vault)	Customer's security and ops team
Incident in customer's Microsoft 365 tenant (SharePoint)	Customer's Microsoft 365 admin and Microsoft

Customer Data Is Not at Risk from VaultPDF Infrastructure Incidents

Because customer document data is stored in the customer's own Azure subscription, a compromise of VaultPDF-operated infrastructure does not expose customer document content. The highest-impact data that could be affected by a VaultPDF infrastructure incident is license keys (revocable by VaultPDF) and HMAC portal tokens (short-lived, 4-hour TTL; expire automatically).

Severity Levels

Severity	Definition	Response SLA
P1 - Critical	Confirmed data breach; service unavailable; active exploitation	Acknowledge within 1 hour; status update every 2 hours; customer notification within 24 hours
P2 - High	Suspected breach; partial service degradation; credential exposure	Acknowledge within 4 hours; status update every 4 hours; customer notification within 48 hours
P3 - Medium	Security advisory; no confirmed breach; performance degradation	Acknowledge within 1 business day; resolution within 5 business days
P4 - Low	Security hardening recommendations; minor issues	Addressed in next scheduled release

Incident Response Process

flowchart TD
    A(["🚨 Incident Detected<br/>(monitoring alert or external report)"])
    --> B["Phase 1 — Detection & Triage<br/>0–2 hours<br/>Acknowledge · assess scope · escalate"]
    B --> SEV{"Severity<br/>Assessment"}

    SEV -->|"Confirmed breach or service unavailable"| P1["P1 — Critical<br/>Acknowledge within 1 hour<br/>Customer notification within 24 hours"]
    SEV -->|"Suspected breach or partial degradation"| P2["P2 — High<br/>Acknowledge within 4 hours<br/>Customer notification within 48 hours"]
    SEV -->|"Advisory / minor or hardening item"| P34["P3/P4 — Medium/Low<br/>Acknowledge within 1 business day"]

    P1 --> C["Phase 2 — Containment<br/>2–8 hours<br/>Revoke keys · rotate secrets<br/>Preserve forensic evidence<br/>Identify scope"]
    P2 --> C

    C --> D["Phase 3 — Customer Notification<br/>GDPR breach: within 72 hours<br/>License key exposure: within 48 hours<br/>Service disruption &gt; 4 hours: within 2 hours<br/>Advisory: within 5 business days"]
    D --> E["Phase 4 — Recovery<br/>Deploy patched services<br/>Rotate all affected secrets<br/>Verify smoke tests pass<br/>Lift rate limits / lockdowns"]
    E --> F["Phase 5 — Post-Incident Review<br/>RCA within 5 business days<br/>Share summary with affected customers<br/>Update controls + GDPR DPA docs<br/>Track improvements in audit backlog"]

    P34 --> F

Phase 1 - Detection and Triage (0-2 hours)

Alert received via monitoring (Azure Monitor, App Insights anomaly detection) or external report.
On-call engineer acknowledges alert in incident tracker.
Initial severity assessment: is there evidence of data exfiltration? Is service available?
Escalate to Security Lead if P1 or P2.
Open incident channel; notify management.

Phase 2 - Containment (2-8 hours)

Isolate affected components (revoke keys, rotate secrets, disable endpoints as appropriate).
Preserve forensic evidence: export logs, take snapshots before any remediation.
Identify scope: which license keys or tenant IDs were exposed?
If portal token signing key is suspected compromised: rotate HKDF_ROOT_KEY; all active portal sessions are invalidated.
If Licensing API database is suspected compromised: rotate all affected license keys; notify affected customers.

Phase 3 - Customer Notification

Trigger	Notification deadline	Channel
GDPR - personal data breach (EU customers)	72 hours from awareness	Email to DPA contact and [email protected] advisory
License key exposure	Within 48 hours	Email to registered admin contact
Service disruption > 4 hours	Within 2 hours of declaration	Status page and email
Security advisory (no breach)	Within 5 business days	Security advisory email

Customer notification will include:

What happened (description of the incident)
When it happened (timeline with UTC timestamps)
What data was affected (scope)
What we have done (containment actions)
What customers must do (any required customer action)
How to contact us for further information

Phase 4 - Recovery

Deploy patched services to production.
Verify all affected keys and secrets have been rotated.
Confirm service is operating normally via smoke tests.
Lift any rate limits or lockdowns imposed during containment.

Phase 5 - Post-Incident Review

Root cause analysis (RCA) completed within 5 business days.
RCA summary shared with affected customers on request.
Control improvements tracked as audit items; shipped in the next planned release.
GDPR DPA documentation updated if required.

Reporting a Security Issue

To report a suspected security issue with VaultPDF-operated infrastructure:

Security incidents - [email protected]
Enterprise procurement - [email protected]
DPA and privacy requests - [email protected]

Customer Deployment Incidents

If you suspect an incident within your own Azure subscription (your Isolated Azure Functions, Azure Key Vault, or Azure Blob Storage), follow your organisation's incident response procedures and Microsoft's contractual obligations under your Microsoft Customer Agreement.

Report a Security Issue

Contact our security team to report a suspected vulnerability or security incident.

Security Inquiries Back to Trust Center

Incident Response

Report a Security Issue

On this page