Incident Response Plan
Version 1.0 · Effective May 16, 2026
Owner: Ryan Hallee, Founder & CEO
Entity: Legacy-Loop Tech LLC · EIN 42-1834363 · Maine Charter 202609949DC
Review Cadence: Quarterly or upon material change
1. Purpose
This document defines how Legacy-Loop Tech LLC (“Legacy-Loop”) detects, contains, investigates, and reports security incidents affecting user data, platform integrity, or third-party data received through APIs including Meta Platform Data, Google OAuth profile data, payment processor data, and any other personally identifiable information (“PII”) processed by the platform.
This plan applies to all systems operated by Legacy-Loop, including:
- Production application at app.legacy-loop.com
- Marketing landing site at legacy-loop.com
- All sub-processors handling user data (Vercel, Turso, Cloudinary, Stripe)
- All authentication providers (Google OAuth, Facebook Login, email/password, magic link)
2. Definitions
Security Incident — Any unauthorized access, disclosure, alteration, destruction, or loss of user data, system integrity, or service availability. Includes confirmed or reasonably suspected events.
Personal Data — Any information that identifies or could identify an individual user, including email addresses, names, profile pictures, listing photos, IP addresses, payment information, and OAuth provider identifiers.
Platform Data — Data received from Meta Platform APIs (Facebook Login: email, public_profile fields including user ID, display name, profile picture).
Breach — A Security Incident that involves confirmed unauthorized acquisition, access, use, or disclosure of Personal Data.
3. Response Team
Legacy-Loop is a single-member LLC. The Founder & CEO serves as the Incident Response Lead. External vendors are engaged as needed.
| Role | Holder | Responsibilities |
|---|---|---|
| Incident Response Lead | Ryan Hallee, CEO | Decision authority, communication, escalation |
| Technical Lead (Engineering) | Ryan Hallee + contracted senior developers | Containment, forensics, remediation |
| Communications Lead | Ryan Hallee | User notifications, regulatory reporting, vendor coordination |
| Legal Counsel | Retained as needed | Regulatory compliance, disclosure obligations |
4. Detection Sources
Security incidents may be detected through any of the following:
- Automated alerts from Vercel deployment monitoring
- Error logs and runtime exceptions captured via Vercel logs
- Database anomaly alerts from Turso
- User-reported issues sent to support@legacy-loop.com
- Third-party security researcher disclosures
- Sub-processor breach notifications (Vercel, Turso, Cloudinary, Stripe)
- Suspicious authentication patterns observed in audit logs
5. Response Phases
Phase 1 — Detection & Triage (Within 1 Hour of Detection)
- Incident Response Lead acknowledges the alert or report
- Initial severity assessment performed using the severity matrix in Section 6
- Incident logged with timestamp, source, and initial scope notes
- Internal incident channel opened
Phase 2 — Containment (Within 4 Hours)
- Revoke all credentials potentially compromised: rotate affected API keys and OAuth client secrets; invalidate active user sessions (JWT signing key rotation if warranted); disable affected user accounts pending investigation
- Isolate affected systems where feasible
- Preserve logs and forensic evidence (Vercel logs, Turso query history, application server logs)
- Apply emergency patches to stop ongoing exploitation
Phase 3 — Investigation (Within 24 Hours)
- Determine scope of affected data and users
- Identify root cause (vulnerability, misconfiguration, credential compromise, third-party breach)
- Document timeline of events
- Assess regulatory disclosure obligations under applicable law
Phase 4 — Notification (Within 72 Hours)
4.1 — User Notification. Affected users receive direct email notification including: description of the incident; categories of data involved; date or date range of the incident; steps taken in response; recommended user actions (password reset, monitoring, etc.); contact for questions at support@legacy-loop.com.
4.2 — Regulatory Notification. Where legally required:
- GDPR (EU users): Notify supervisory authority within 72 hours per Article 33
- CCPA (California users): Notify Attorney General if 500+ California residents affected
- State breach laws: Notify in accordance with each applicable state law
4.3 — Platform Notification. If Meta Platform Data is involved: notify Meta via the Data Incident Reporting form within 72 hours, including incident scope, affected fields, and remediation status. If Google OAuth data is involved, notify Google via Google Developer Console security contact. If Stripe payment data is involved, notify Stripe per the Stripe Connected Account Agreement.
Phase 5 — Remediation & Recovery (Within 7 Days)
- Deploy permanent fix for root cause
- Verify fix with regression testing
- Restore normal operations
- Document lessons learned
Phase 6 — Post-Incident Review (Within 30 Days)
- Written post-mortem documenting: timeline, root cause, containment actions, affected users and data, remediation, process improvements identified
- Update Incident Response Plan based on lessons learned
- Update relevant code, documentation, or training materials
6. Severity Matrix
| Severity | Definition | Response Time | Examples |
|---|---|---|---|
| Critical | Confirmed breach of user PII or Platform Data affecting > 100 users | Immediate (< 1 hour) | Database exfiltration, mass credential leak |
| High | Confirmed breach affecting < 100 users OR critical service outage | < 4 hours | Single account takeover, API key leak |
| Medium | Suspected breach pending investigation OR partial service disruption | < 24 hours | Suspicious access pattern, individual user data exposure |
| Low | Vulnerability discovered but no evidence of exploitation | < 7 days | Code-level security finding, scanner alert |
7. User Right to Deletion (Independent of Incidents)
Users may request deletion of their data at any time via:
- Self-service: Account Settings → Delete Account
- Web form: legacy-loop.com/data-deletion
- Email: support@legacy-loop.com
Deletion is processed within 30 days. For Meta Platform Data specifically: Facebook OAuth-linked accounts can revoke access at any time via Facebook Settings → Apps and Websites. Legacy-Loop honors deletion requests received from Meta on behalf of users. Deletion includes purging Platform Data from production databases and any backups within 30 days.
8. Sub-Processor Incident Coordination
Legacy-Loop uses the following sub-processors. If any of them experience a security incident affecting Legacy-Loop user data, the Incident Response Lead will coordinate joint response and forward user notifications as required.
| Sub-Processor | Data Handled | Notification Contact |
|---|---|---|
| Vercel Inc. | Application hosting, request logs | security@vercel.com |
| Chiselstrike Inc. (Turso) | User account database (encrypted at rest) | Per Turso ToS |
| Cloudinary Ltd. | User-uploaded photos | security@cloudinary.com |
| Stripe Inc. | Payment processing | Per Stripe DPA |
Legacy-Loop reviews each sub-processor's security posture during onboarding and at least annually thereafter.
9. Communication Templates
9.1 — User Breach Notification (Template)
Subject: Important: Security Notice from Legacy-Loop
Dear [User Name], On [Date], Legacy-Loop became aware of a security incident affecting [scope]. We are writing to inform you of what happened, what data was involved, and what we are doing about it. What happened: [Brief description]. Data involved: [Specific data categories]. What we have done: [Actions taken]. What you should do: [Recommended user actions]. More information: support@legacy-loop.com. We sincerely apologize for this incident and the concern it may cause. — The Legacy-Loop Team
9.2 — Meta Platform Data Incident Report (Template)
App ID: 871910582591145 · Business: Legacy-Loop Tech LLC · Incident Date: [Date] · Detection Date: [Date] · Affected Permissions: [email, public_profile, etc.] · Estimated Affected Users: [Number or “Under investigation”] · Root Cause: [Description] · Containment Status: [Actions taken] · Remediation Plan: [Next steps] · Contact: support@legacy-loop.com
10. Plan Maintenance
This Incident Response Plan is reviewed and updated:
- Quarterly by the Founder & CEO
- After any incident requiring activation
- When material changes occur to the platform, sub-processors, or applicable law
- At minimum, annually
Most recent review: May 16, 2026. Next scheduled review: August 16, 2026.
11. Acknowledgment
By operating Legacy-Loop Tech LLC, the Founder & CEO accepts responsibility for the maintenance and execution of this Incident Response Plan.
Signed: Ryan Hallee, Founder & CEO
Date: May 16, 2026
Entity: Legacy-Loop Tech LLC
Last updated: May 16, 2026 | Return to Security & Trust