Incident Response
Date: 2026-05-14 Status: Drafted. Not yet exercised against a paying-customer incident.
1. Detection
| Channel | Purpose |
|---|---|
| Sentry | Application errors, PHI-scrubbed |
| CloudWatch alarms | Infrastructure thresholds (CPU, DB connections, S3 errors, replication lag) |
| Customer report | Inbound via support email + hospital portal |
| Sub-processor notification | Per BAA terms |
| Internal review | Founder + platform engineering weekly review |
Sev level assigned at first triage. Sev matrix in RUNBOOK.md.
2. Triage
Founder rotation
- Giles-Evan Mboumi (Founder, CEO), primary on-call, customer comms lead
- Christian Montgomery (Co-Founder, COO), backup, security/infra and delivery lead
- Abhishek Jha (CTO), technical/architecture escalation
- engineering on-call, extended-hours tertiary for production fires
Rotation cadence: weekly during pilot phase; formal PagerDuty rotation post-Series A.
engineering on-call
Platform engineering partner under NDA provides extended-hours on-call for production fires. Operational SLA per partnership terms (per partnership terms , available on request through diligence room access).
First-response checklist
- Confirm severity (Sev 1-4)
- Open incident channel (founder + engineering on-call)
- Capture initial state: timestamp, affected surface, scope of impact
- Pull CloudWatch + Sentry context
- If Sev 1: notify customer per BAA terms before remediation if customer-impacting
- Begin remediation
3. Communication
Customer notification
| Trigger | Window | Channel |
|---|---|---|
| Suspected PHI breach | Within 60 days per HIPAA (45 CFR 164.404); faster on confirmed exposure | Direct customer comms + written notice |
| Service-impacting outage (Sev 1) | Within 24 hours of impact start | Customer-specific SLA (per-customer SLA , available on request through diligence room access) |
| Sub-processor incident affecting us | Within 24 hours of vendor confirmation | Forward vendor notice + Rōvn-specific impact statement |
| Resolved incident | Within 7 days of resolution | Post-incident summary document |
Internal notification
- Sev 1: immediate founder channel
- Sev 2: within 2 hours founder channel
- Sev 3: next business day digest
- Sev 4: weekly review
Investor notification
- Sev 1 events that materially affect commercial trajectory: included in next monthly investor update with summary + remediation
- Sev 2 events: aggregated in monthly update if multiple
- Routine Sev 3 / Sev 4: not surfaced
4. Post-mortem cadence
- 24 hours after resolution: initial post-mortem (blameless format)
- Template fields: incident date, impact, root cause, detection, response, resolution, lessons, action items
- Action items tracked in engineering backlog with owner + due date
- Customer-facing post-mortem provided per BAA terms
5. PHI breach-specific protocol
If PHI exposure is suspected (not yet confirmed): 1. Immediately preserve forensic evidence (CloudTrail, S3 access logs, application logs) 2. Begin internal investigation within 1 hour 3. Engage outside counsel (retainer on file , counsel name available on request through diligence room access) 4. Do NOT publicly disclose pre-investigation 5. Customer notification triggered on confirmation (60-day window from confirmation, not from suspicion)
If PHI exposure is confirmed: 1. Customer notification per BAA terms (60-day window) 2. OCR (Office for Civil Rights) notification if > 500 individuals affected (per HIPAA Breach Notification Rule) 3. Affected-individual notification within 60 days of discovery 4. Public-facing summary if > 500 individuals affected (HHS portal) 5. Substitute notification (media) if > 500 in same jurisdiction and contact info unavailable
Outside counsel + breach coach engagement is mandatory for any confirmed PHI breach.
6. Sub-processor incident protocol
If a sub-processor (AWS, Anthropic, Persona, Checkr, WorkOS, Drata, Sentry) reports an incident that affects Rōvn:
- Confirm scope with vendor
- Identify affected Rōvn customers
- Pull internal evidence on Rōvn-side data flow during incident window
- Notify affected customers per BAA terms (typically within 24-72 hours of vendor confirmation)
- Forward vendor remediation + Rōvn-specific remediation
- Track for cumulative review at quarterly compliance check-in
7. Specific playbooks
7.1: PHI exposure via Sentry scrub failure
- Disable Sentry sender for affected surface
- Review last 24 hours of Sentry events for PHI scrub failure
- Engage Sentry support to delete affected event data
- Trigger confirmed breach protocol if PHI was sent to Sentry
7.2: Database PHI exfiltration suspected
- Lock down database access (revoke ECS task role temporarily; failover to read-only)
- Pull RDS audit log + CloudTrail
- Identify exfil vector
- Customer notification if PHI > 0 records exposed
- Forensic snapshot of database state
7.3: Anthropic API incident
- Confirm vendor status
- Failover to Bedrock path (target capability)
- Queue inflight executor calls
- Customer notification only if pilot customer SLAs impacted
7.4: Source authority API integrity (e.g., wrong data returned)
- Pause affected adapter
- Source-receipt review for affected verifications
- Vendor escalation
- Re-verify affected workers via alternate source
7.5: Audit log integrity failure
- Sev 1 escalation immediately
- S3 Object Lock should make this impossible; if alarm fires, treat as compromise
- CloudTrail review of all account activity
- Engage outside counsel + AWS support
8. Tooling status
| Tool | Status |
|---|---|
| Sentry | LIVE |
| CloudWatch | LIVE |
| AWS CloudTrail | LIVE |
| Incident channel (founder Slack / Discord) | LIVE |
| PagerDuty | Target post-Series A |
| Status page (status.rovn.to or similar) | /status.html route exists; full automated status page TARGET |
| Forensic snapshot automation | PARTIAL |
End of incident response.