Incident Response Plan

Effective: 8 April 2026 · Reviewed annually

This document describes how Terra Natural responds to security incidents affecting the Amazon SP API MCP service. It exists to satisfy Amazon's Data Protection Policy requirements and to give Terra Natural a clear, rehearsed procedure to follow when something goes wrong.

1. Definitions

• Security incident: any event that may compromise the confidentiality, integrity, or availability of seller data — including unauthorised access, data exposure, credential compromise, denial of service, malware, or sub-processor breaches.
• Personal data breach: a security incident leading to unauthorised access to, or loss of, personal data — triggers UK GDPR notification obligations.
• Affected seller: any seller whose data may have been accessed, modified, or exposed by the incident.

2. Roles

• Incident Lead: Denis Pedras (sole responsible party as of 2026-04-08)
• Communications Lead: Denis Pedras
• Technical Lead: Denis Pedras

As the team grows, these roles will be assigned to different individuals.

3. Detection sources

• Fly.io platform alerts (machine restarts, anomalous error rates)
• Neon database metrics (unusual query rates, failed authentications)
• Stripe webhook anomalies (unexpected subscription changes)
• Direct reports from sellers, security researchers, or users (sales@terranatural.co.uk)
• Amazon SP-API security notifications

4. Response procedure

Phase 1: Detection and triage (within 1 hour)

1. Acknowledge the report or alert
2. Assess severity: low / medium / high / critical
3. Open an incident ticket with timestamp, source, and initial findings
4. If high or critical, escalate to Phase 2 immediately

Phase 2: Containment (within 4 hours of confirmation)

1. Identify the scope: which seller accounts are affected
2. Revoke all OAuth access tokens for affected sellers (set oauth_tokens.revoked = TRUE)
3. If credentials are compromised, rotate the affected secrets in Fly.io secrets and redeploy
4. If a sub-processor is compromised, follow their disclosed remediation steps
5. If an Amazon refresh token is compromised, advise the seller to revoke access in their Amazon Seller Central account

Phase 3: Notification (within 24-72 hours)

• Affected sellers: notified by email within 24 hours of confirmed breach. Email contains the nature of the incident, the data potentially affected, the actions we have taken, and the actions they should take.
• Amazon: notified at security@amazon.com within 72 hours of confirmed breach, in compliance with the Amazon Data Protection Policy.
• UK Information Commissioner's Office (ICO): notified within 72 hours of confirmed breach, where the breach is likely to result in risk to affected individuals (UK GDPR Article 33).
• Other regulators: as required by jurisdiction.

Phase 4: Eradication and recovery

1. Identify root cause and patch the vulnerability
2. Rotate all potentially compromised secrets (encryption keys, LWA credentials, Stripe keys, database credentials)
3. Verify integrity of all data and systems
4. Restore service to affected sellers and confirm normal operation

Phase 5: Post-incident review (within 14 days)

1. Document the timeline, root cause, impact, and remediation
2. Identify process or technical improvements to prevent recurrence
3. Update this Incident Response Plan if any improvements affect the procedure
4. Share a summary with affected sellers if requested

5. Detection and monitoring (current state)

As of April 2026, monitoring is manual and informal: Fly.io platform alerts, manual log review during deployments, and direct reports. Structured monitoring (Sentry for application errors, custom anomaly detection) is planned for Q3 2026.

6. Backup and recovery

Database backups are managed automatically by Neon (point-in-time recovery, eu-west-2). The application is stateless beyond the encrypted refresh tokens, so recovery from backup is straightforward and would not lose seller data beyond the most recent transactions.

7. Annual review

This plan is reviewed at least once per year, and after every material incident. The next scheduled review is April 2027.

8. Contact

To report a security incident: sales@terranatural.co.uk (subject line: SECURITY INCIDENT for priority handling)