Trust

Incident Response Summary

Last updated: June 10, 2026

This document summarizes how ClearPlan detects, contains, and communicates security incidents affecting customer data. It is intentionally scoped to what we actually operate: a small, focused service with a deliberately minimal data footprint (see our Security Policy).

1. Scope and definitions

An incident is any event that compromises, or credibly threatens to compromise, the confidentiality, integrity, or availability of customer data or the ClearPlan service. A personal data breach is an incident resulting in accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of or access to customer data.

2. Roles

ClearPlan's founder acts as incident commander and is responsible for triage, containment decisions, customer notification, and the post-incident review. Provider-side response (infrastructure compromise at Supabase, Vercel, or Stripe) follows the relevant provider's incident process, with ClearPlan responsible for customer-facing assessment and notification.

3. Detection

Supabase auth and database logs (authentication anomalies, policy violations)
Vercel deployment and runtime logs
GitHub Dependabot alerts for vulnerable dependencies
Provider security notices (Supabase, Vercel, Stripe)
Reports from customers or researchers to hello@getclearplan.com (see vulnerability disclosure in the Security Policy)

4. Response phases

Triage (same day). Confirm the event, classify severity, and determine whether customer data is implicated.
Containment. Depending on the vector: rotate API keys and database credentials, revoke active sessions, revoke plan share links, disable affected endpoints, or take the service offline if required to stop ongoing exposure.
Eradication and recovery. Patch the root cause, redeploy, and verify with the same reproduction steps that confirmed the incident.
Notification. If customer data was involved, affected customers are notified by email within 72 hours of confirmed discovery with: what happened, what data was involved, what we have done, and what (if anything) the customer should do. Regulatory notifications are made where applicable law requires them.
Post-incident review. A written summary of cause, timeline, impact, and corrective actions, with corrective work scheduled before feature work resumes.

5. Customer responsibilities

Advisors should report suspected account compromise (unrecognized plans, unexpected sign-outs, unfamiliar share links) to hello@getclearplan.com immediately and rotate their password from the sign-in page.

6. Review cadence

This process is reviewed, and the contact and escalation paths re-verified, at least annually and after every incident.