Incident Response Policy

Effective Date: April 18, 2026

Buji Development Corporation, doing business as Agent Midas, maintains this Incident Response Policy to ensure rapid and effective response to security incidents affecting the Agent Midas platform and its subscribers' data.

This policy supplements the security measures described in our Terms of Service (Section 6), Privacy Policy (Section 4), and Data Processing Addendum (Section 7). In the event of a conflict, the most protective provision prevails.

1. Scope

This policy applies to all systems, infrastructure, personnel, and third-party services involved in the operation of the Agent Midas platform, including production servers (Atlanta), development servers (San Francisco), utility servers (Toronto), GPU inference servers, Supabase database infrastructure, Cloudflare CDN/WAF, and all sub-processors listed in our Data Processing Addendum.

2. Incident Classification

2.1 Severity Levels

P0 — Critical: Active data breach, unauthorized access to subscriber data, ransomware, complete service outage affecting all subscribers. Response: immediate (within 15 minutes).

P1 — High: Suspected breach, partial service outage, vulnerability being actively exploited, compromise of a sub-processor. Response: within 1 hour.

P2 — Medium: Security vulnerability discovered but not exploited, failed intrusion attempt detected, single-subscriber data anomaly. Response: within 4 hours.

P3 — Low: Minor security advisory, phishing attempt against personnel, non-critical configuration issue. Response: within 24 hours.

3. Incident Response Team

Incident Commander:Tom McMurrain, Founder & CEO — ultimate authority for all incident decisions, external communications, and regulatory notifications.

Technical Lead: C4 (Gatekeeper) — server access, infrastructure response, evidence preservation, and system restoration.

Communications Lead: Incident Commander or designee — subscriber notifications, regulatory filings, and public statements.

All personnel are bound by confidentiality obligations as specified in our Data Processing Addendum, Section 4.3.

4. Response Procedures

4.1 Detection and Identification

Agent Midas employs multiple detection mechanisms: Cloudflare WAF and DDoS protection, SENTINEL-PAY eight-signal fraud detection engine, SENTINEL-AI (DeepSeek R1) behavioral fraud scoring, Supabase row-level security audit logging, PM2 process monitoring, and application-level error tracking. All anomalies are logged with timestamps, source IPs (hashed for privacy), affected subscriber IDs, and system state.

4.2 Containment

Upon confirmation of a P0 or P1 incident, the Incident Commander authorizes immediate containment: isolate affected systems from the network, revoke compromised credentials, block malicious IP ranges at the Cloudflare WAF layer, suspend affected subscriber sessions, and preserve forensic evidence (system logs, database snapshots, network captures) before any remediation.

4.3 Eradication and Recovery

The Technical Lead identifies the root cause, removes the threat vector, patches the vulnerability, and restores affected systems from verified clean backups. All changes are documented. Systems are verified clean before restoration to production. Subscriber data integrity is confirmed through database checksums.

4.4 Post-Incident Review

Within 72 hours of incident resolution, the team conducts a post-incident review documenting: timeline of events, root cause analysis, effectiveness of response, data impact assessment, corrective actions taken, and preventive measures implemented. This report is retained for a minimum of three years.

5. Notification Obligations

5.1 Subscriber Notification

In accordance with our Data Processing Addendum (Section 7), affected subscribers are notified without undue delay, and in any event within 72 hours of confirming a personal data breach. Notification includes: nature of the breach, categories of data affected, likely consequences, and measures taken or proposed to address the breach.

5.2 Regulatory Notification

Where required by GDPR (Article 33), CCPA/CPRA, or other applicable data protection laws, the Company files notifications with the relevant supervisory authorities within the legally mandated timeframes. For GDPR-covered data subjects, notification to the supervisory authority occurs within 72 hours of becoming aware of the breach.

5.3 Law Enforcement

Where the incident involves suspected criminal activity, the Company cooperates with appropriate law enforcement authorities as described in our Acceptable Use Policy (Section 8.5) and Privacy Policy (Section 5.2).

6. Data Protection During Incidents

All incident response activities adhere to the data protection standards specified in our Terms of Service (Section 6): data encrypted in transit via TLS 1.2+, encrypted at rest via AES-256, row-level security maintained throughout, and no subscriber data is exposed to unauthorized personnel during investigation. Forensic analysis is performed on isolated copies, never on production data.

7. Third-Party Sub-Processor Incidents

If a security incident originates from or affects a sub-processor listed in our Data Processing Addendum (Section 5.2), the Company activates its response procedures and coordinates with the affected sub-processor. The Company remains fully liable for sub-processor incidents as specified in DPA Section 5.4. Affected subscribers are notified regardless of whether the incident originated internally or at a sub-processor.

8. Annual Review

This Incident Response Policy is reviewed and updated annually, or immediately following a significant incident. The review evaluates the effectiveness of current procedures, incorporates lessons learned, and aligns with evolving regulatory requirements and threat landscapes.