Incident Response

Effective Date: Dec 21st, 2024

At SpendShift, we take the security of your data and transactions seriously. This Incident Response Policy outlines how we detect, manage, and resolve security incidents to protect your information. It also explains how we communicate with customers during such events.

What Is an Incident?

A security incident is any event that compromises the confidentiality, integrity, or availability of SpendShift’s systems, services, or customer data. Examples include:

• Unauthorized access to your account.

• Data breaches affecting customer information.

• Disruption of services due to malicious activity.

2. Goals of the Incident Response Policy

Our Incident Response Policy is designed to:

1. Detect and respond to incidents quickly.

2. Minimize the impact of incidents on our customers and operations.

3. Communicate transparently with affected parties.

4. Prevent future incidents by addressing root causes.

3. Incident Detection and Monitoring

SpendShift uses advanced monitoring tools and techniques to detect potential security incidents:

• Real-Time Monitoring: We monitor our systems 24/7 for unusual activity.

• Automated Alerts: Suspicious behavior, such as failed login attempts, triggers automated alerts for investigation.

• Customer Reports: We encourage customers to report suspected security issues to contact@spendshift.io

4. Incident Response Process

Our incident response process follows these steps:

• Identification

  • Assess whether the event qualifies as a security incident.

  • Determine the scope, impact, and severity of the incident.

• Containment

  • Isolate affected systems to prevent further harm.

  • Temporarily restrict access or halt certain services if necessary.

• Notification

  • Notify affected customers and relevant stakeholders as soon as possible (within applicable regulatory timeframes).

  • Provide details about the incident, including what happened and immediate steps to take.

• Investigation

  • Conduct a thorough investigation to identify the root cause.

  • Gather evidence and work with cybersecurity experts if needed.

• Remediation

  • Fix vulnerabilities or weaknesses that caused the incident.

  • Restore services and data to normal operation.

• Post-Incident Review

  • Document lessons learned and update our security policies to prevent similar incidents in the future.

  • Share key findings with customers, when appropriate.

5. Communication During an Incident

We believe in transparent communication. If your data or account is affected, we will:

• Notify you via email or in-app alerts with details of the incident.

• Provide instructions on securing your account and any steps you should take.

• Share updates as new information becomes available.

6. Customer Responsibilities

To help protect your account and data, we recommend that you:

• Use a strong, unique password for your SpendShift account.

• Enable multi-factor authentication (MFA).

• Monitor your account regularly for unauthorized transactions or activity.

• Report any suspicious behavior to us immediately at contact@spendshift.io.

7. Regulatory Compliance

SpendShift complies with all applicable laws and regulations for incident reporting, including:

• Notifying affected customers within required timeframes.

• Reporting breaches to regulatory authorities when necessary.

8. Data Breach Notification Timeline

If a breach of personal or financial data occurs, we will:

1. Notify affected customers within 48 hours of confirming the breach.

2. Provide details about the type of data exposed and any potential risks.

3. Offer support, such as credit monitoring services, if applicable.

9. Testing and Improvement

To ensure effectiveness, we:

• Conduct regular incident response drills and simulations.

• Continuously update our policies based on new threats and best practices.

• Audit our response processes to identify areas for improvement.

10. Reporting Security Incidents

If you suspect a security issue or incident, please report it to us immediately:

• Email: contact@spendshift.io

• In-App Support: Use the Help section in the SpendShift app.

We encourage responsible disclosure of vulnerabilities and provide guidelines for researchers on our Vulnerability Disclosure Program.

11. Updates to This Policy

We may update this Incident Response Policy periodically to reflect improvements or changes in regulatory requirements. Significant updates will be communicated to customers via email or app notifications.

12. Contact Us

For questions about this policy or to report an incident, contact us at:

Email: contact@spendshift.io