CommonGage Incident Response
Last updated: 2026-06-29
CommonGage maintains a documented incident response process for security incidents affecting our systems, including unauthorized access to tenant data, suspected credential compromise, service disruptions caused by attacks, and potential data breaches.
Severity Levels
| Level | Definition | Initial Response Target |
|---|---|---|
| P0 — Critical | Confirmed or likely cross-tenant data exposure; active unauthorized access; credential compromise with data access | 1 hour |
| P1 — High | Suspected breach under investigation; auth system compromise without confirmed data access; service down due to attack | 4 hours |
| P2 — Medium | Security misconfiguration discovered; anomalous access pattern; failed attack attempt with system impact | 24 hours |
| P3 — Low | Vulnerability disclosed with no evidence of exploitation; dependency CVE | 72 hours |
Our Process
- Detect & Declare — Confirm the incident, assign a severity level, open an internal incident log.
- Contain — Isolate the affected system or credential, rotate relevant secrets, and prevent further impact.
- Investigate — Identify affected tenants, determine the time window and data scope, and preserve evidence for review.
- Remediate — Fix the root cause, deploy the fix, verify with targeted tests, and safely restore access.
- Notify — Communicate with affected districts and, where required, regulators.
District Notification
FERPA requires notification to districts "in the most expedient time possible and without unreasonable delay" when a breach of protected education records occurs. Given CommonGage's data model (primarily staff data, not student records), most incidents will not trigger FERPA's breach notification requirements. However, districts are notified promptly for any incident involving their data.
Notification timing target: Initial notification to affected districts within 72 hours of confirming a breach. Full post-incident report within 30 days.
Regulatory Notification
- If a breach involves student education records covered by FERPA, we notify the relevant district's FERPA officer and follow the district's own incident response requirements (districts are the covered entity under FERPA; CommonGage is a school official/vendor).
- If a breach involves personal data of EU/EEA residents, GDPR Article 33 requires notification to the relevant supervisory authority within 72 hours.
Contact
To report a security concern, contact hello@commongage.com.