Skip to main content

CommonGage Incident Response

Last updated: 2026-06-29

CommonGage maintains a documented incident response process for security incidents affecting our systems, including unauthorized access to tenant data, suspected credential compromise, service disruptions caused by attacks, and potential data breaches.

Severity Levels

LevelDefinitionInitial Response Target
P0 — CriticalConfirmed or likely cross-tenant data exposure; active unauthorized access; credential compromise with data access1 hour
P1 — HighSuspected breach under investigation; auth system compromise without confirmed data access; service down due to attack4 hours
P2 — MediumSecurity misconfiguration discovered; anomalous access pattern; failed attack attempt with system impact24 hours
P3 — LowVulnerability disclosed with no evidence of exploitation; dependency CVE72 hours

Our Process

  1. Detect & Declare — Confirm the incident, assign a severity level, open an internal incident log.
  2. Contain — Isolate the affected system or credential, rotate relevant secrets, and prevent further impact.
  3. Investigate — Identify affected tenants, determine the time window and data scope, and preserve evidence for review.
  4. Remediate — Fix the root cause, deploy the fix, verify with targeted tests, and safely restore access.
  5. Notify — Communicate with affected districts and, where required, regulators.

District Notification

FERPA requires notification to districts "in the most expedient time possible and without unreasonable delay" when a breach of protected education records occurs. Given CommonGage's data model (primarily staff data, not student records), most incidents will not trigger FERPA's breach notification requirements. However, districts are notified promptly for any incident involving their data.

Notification timing target: Initial notification to affected districts within 72 hours of confirming a breach. Full post-incident report within 30 days.

Regulatory Notification

  • If a breach involves student education records covered by FERPA, we notify the relevant district's FERPA officer and follow the district's own incident response requirements (districts are the covered entity under FERPA; CommonGage is a school official/vendor).
  • If a breach involves personal data of EU/EEA residents, GDPR Article 33 requires notification to the relevant supervisory authority within 72 hours.

Contact

To report a security concern, contact hello@commongage.com.