If we get breached, here's exactly what happens.
No scrambling. No PR spin. No 6-month delayed disclosure. A pre-committed 72-hour pipeline — CERT-In, Data Protection Board, you — in that order of urgency, all three done.
Detection
Sentinel (our internal monitoring) flags an unauthorized access pattern, credential leak, or data exfiltration indicator. An on-call incident is opened automatically.
Containment + scoping
CTO + DPO triage. Affected data categories, affected user count, and blast radius are documented. Attacker access is severed. A snapshot is taken for forensics.
Affected user list frozen
Every user whose personal data was (or may have been) exposed is added to a breach_notifications record with their userId, what data category was exposed, and the scope of exposure.
Data Protection Board intimation
We file an initial report with the Data Protection Board of India describing the nature of the breach, the categories of data involved, the approximate number of affected users, and the mitigation steps already taken.
CERT-In notification
CERT-In is notified per the cybersecurity directive timelines with technical IoCs and remediation status.
User notification
Every affected user receives a plain-English email + in-app notification describing exactly what data was involved, what we are doing about it, what they should do, and how to contact the DPO. No corporate-lawyer weasel-language.
Post-incident report
Full root cause analysis published on /changelog (if non-sensitive) and filed with the Board. Policy + architecture changes that resulted from the incident are described.
Why we pre-commit the playbook
Under stress, organisations don't rise to the occasion — they fall to the level of their preparation. Publishing the runbook in advance makes it impossible to rewrite after the fact. You know what to expect. Our team knows what to do. Your lawyer knows what to hold us to.