Every incident, on the record.

T+0 - Detection

Automated anomaly detection or external report triggers an internal alert. The on-call engineer has 5 minutes to acknowledge. An incident channel is opened immediately.

T+15 min - Customer notification

Affected customers are emailed within 15 minutes of a confirmed breach affecting their tokens or keys. The email includes: what happened, what data was exposed, what we've done, and what you should do. We do not wait until we have all the answers - we send what we know and update as we learn more.

T+15 min - Automatic token revocation

All tokens involved in the incident are automatically revoked at the moment the breach is confirmed - no manual step required. Customers can re-issue clean tokens from the dashboard immediately.

T+1 hr - Containment

The affected code path, credential, or access vector is isolated. Cloudflare Worker deployments can be rolled back to a known-good hash in under two minutes.

T+24 hr - Forensic investigation

We conduct a full forensic review: what data was accessed, by whom, for how long, and what the entry point was. We commit to publishing a post-mortem on this page within 72 hours of containment.

T+72 hr - Public post-mortem

A full post-mortem is published here. It includes the timeline, root cause, affected scope, mitigation taken, and what we're changing to prevent recurrence. We use the format: what happened, why it happened, how we found it, what we did, what we're changing.

Credit policy

Any customer whose tokens were compromised in a confirmed breach receives a full billing credit for the affected period. We will not charge for a month in which we failed to protect your keys.