Security

Incident Response & Vulnerability Disclosure

Last reviewed: April 2026

Incident response plan

User Intuition follows a documented incident response plan governed by our internal Threat and Incident Management Policy. The CEO serves as Incident Commander for P1 (Critical) incidents and is the escalation point for all security incidents. The Engineering Lead leads technical response.

Breach notification SLA

We commit to notifying affected customers within seventy-two (72) hours of confirmed breach detection, in alignment with GDPR Article 33. Regulatory and law-enforcement notifications follow the timelines required by applicable jurisdictions.

Incident severity tiers

  • P1 — Critical: Confirmed breach of client data or non-public personal information; active exploitation of production systems; complete loss of service availability. Customer notification within 72 hours per GDPR.
  • P2 — High: Security control failure with potential for data exposure; unauthorized access attempt with partial success; significant service degradation affecting multiple clients.
  • P3 — Medium: Security policy violation or vulnerability discovery with no evidence of exploitation; minor service disruption; non-critical system compromise.
  • P4 — Low: Informational security findings; low-severity vulnerabilities; minor procedural deviations with no data or service impact.

Vulnerability remediation timelines

Identified vulnerabilities are classified by CVSS severity and remediated within defined timeframes:

  • Critical (CVSS 9.0–10.0): Patch or mitigate within 24 hours; emergency change process if needed; CEO notified immediately.
  • High (CVSS 7.0–8.9): Patch or mitigate within 7 days.
  • Medium (CVSS 4.0–6.9): Patch or mitigate within 30 days; tracked in vulnerability register.
  • Low (CVSS 0.1–3.9): Patch within 90 days or next scheduled release cycle.

Tabletop exercises

We conduct an annual incident response tabletop exercise to verify the plan against realistic scenarios. The first exercise is scheduled for Q3 2026.

Vulnerability disclosure

Suspected security issues can be reported to security@userintuition.ai. Our coordinated vulnerability disclosure timeline is 90 days from confirmed receipt. Researchers acting in good faith should not face legal action; we ask that you give us a reasonable opportunity to remediate before public disclosure.

RFC 9116 metadata is published at /.well-known/security.txt.

← Back to Security & Trust