StorylineIQ maintains a documented incident response program covering detection, containment, investigation, customer notification, and post-incident review.
1. Detection
Automated monitoring on authentication anomalies, rate limits, RLS denials, and error rates. On-call rotation acknowledges alerts 24/7.
2. Triage
Within 1 hour of detection, the incident commander assigns severity (Sev-1 through Sev-3), scopes affected districts, and starts an incident timeline.
3. Containment
Revoke compromised credentials, rotate keys, isolate affected components, and apply emergency RLS or rate-limit hardening as needed.
4. Investigation
Audit logs, database snapshots, and edge logs are preserved. Root cause is documented before resolution is declared.
5. Customer notification
For incidents involving a Personal Data Breach, affected districts are notified without undue delay and in any event within 72 hours, per our DPA §7.
6. Post-incident review
Within 10 business days of resolution we publish an internal post-mortem and any customer-facing summary, with corrective actions tracked to completion.
Severity definitions
- Sev-1 — Personal Data Breach. Confirmed unauthorized access to, or disclosure of, student or user PII. 72-hour customer notification under DPA §7.
- Sev-2 — Service-impacting security event. Outage, authentication failure, or vulnerability with potential PII exposure but no confirmed access. Status-page update + direct contact with impacted districts.
- Sev-3 — Internal security event. Contained issue with no customer impact (e.g., a discovered-and-patched vulnerability). Tracked internally; surfaced in the next quarterly security report on request.
What customers receive
For any Sev-1 or Sev-2 incident affecting a district, we provide:
- The nature and approximate time of the incident
- Categories of data affected and approximate number of records
- Containment and remediation actions taken
- Recommended customer-side actions (e.g., reset admin credentials)
- A named point of contact at StorylineIQ for follow-up
Reporting a suspected incident
Districts, parents, security researchers, or anyone with knowledge of a potential security incident should email security@storylineiq.com. We acknowledge within 2 business days. For sensitive disclosures, request our PGP key in the initial message.
Related documents
- Security controls
- Data Processing Addendum (§7 breach notification)
- Privacy Policy
