AIOrouter Security Incident Response Plan

Version: 1.0.0 Effective Date: 2026-05-04 Last Reviewed: 2026-05-04 Review Cadence: Quarterly (every 3 months) or after any P0/P1 incident resolution Owner: Founder (Taya Chu), Privacy Officer Classification: Confidential — Internal Operations PIPEDA Reference: Breach of Security Safeguards Regulations (SOR/2018-64)

§1 — Overview

§1.1 — Purpose

This Incident Response Plan (IRP) defines the procedures, roles, and communication templates for detecting, responding to, and recovering from security incidents at AIOrouter. It ensures:

  1. Rapid containment of security incidents to minimize user impact
  2. PIPEDA compliance — breach notification to OPC within 72 hours of determination
  3. Clear escalation paths — every team member knows their role and responsibilities
  4. Continuous improvement — blameless post-mortems drive systemic fixes

§1.2 — Scope

This plan covers all AIOrouter services and infrastructure:

Service Host Criticality
API Gateway (api.aiorouter.ca) GCP Cloud Run (northamerica-northeast1) P0 — revenue-generating
Dashboard (dashboard.aiorouter.ca) GCP Cloud Run (northamerica-northeast1) P1 — user-facing
PostgreSQL (Cloud SQL) GCP (northamerica-northeast1) P0 — data integrity
Redis (Memorystore) GCP (northamerica-northeast1) P1 — caching + rate limiting
Stripe Integration Stripe API P1 — billing
CI/CD Pipeline GitHub Actions + Cloud Build P2 — deployment

§1.3 — PIPEDA Obligations

Under PIPEDA's Breach of Security Safeguards Regulations:

Automated breach detection and OPC report generation is handled by internal implementation evidence (P1-W3-005).

§2 — Incident Severity Levels

Severity levels are aligned with the breach detection system in internal implementation evidence.

P0 — Critical

Attribute Value
Definition Active data breach, complete service outage, or confirmed exfiltration of user data
Examples Production API down for all users; PII data exfiltrated from database; attacker gains admin access; mass API key compromise
Detection Sources AI Firewall BLOCK surge >50%, PII spike >10× baseline, outbound data anomaly, manual report, external researcher report
Response SLA Acknowledge: 15 minutes
Notification Immediate Founder Telegram alert + Email + OPC report generation

P1 — High

Attribute Value
Definition Confirmed vulnerability with potential for exploitation, or partial service degradation affecting >10% of users
Examples SQL injection vector discovered; provider API key leaked (rotated within window); AI Firewall bypass technique confirmed; payment processing failure
Detection Sources AI Firewall BLOCK rate >5% (sustained), outbound byte spike >10×, vulnerability disclosure via security@aiorouter.ca, Stripe webhook failure spike
Response SLA Acknowledge: 1 hour
Notification Founder Telegram alert + Email

P2 — Medium

Attribute Value
Definition Suspicious activity requiring investigation, or minor misconfiguration with low exploitation risk
Examples Unusual API usage pattern from single IP; expired TLS certificate (not yet impacting users); minor configuration drift detected; failed login spike
Detection Sources Rate limiter threshold exceeded (non-blocking), health check degradation, GCP monitoring alert, internal code review finding
Response SLA Acknowledge: 8 hours
Notification Daily digest mention; Email if trending toward P1

P3 — Low

Attribute Value
Definition Minor misconfiguration, cosmetic issue, or improvement opportunity with no immediate risk
Examples Deprecated cipher still enabled (no known exploit); documentation inconsistency; log level too verbose; non-critical dependency update
Detection Sources Dependabot alert (non-critical), npm audit warning, internal review, infrastructure scan
Response SLA Acknowledge: 24 hours
Notification Weekly report mention

§3 — Response Team

§3.1 — Roles & Responsibilities

Role Person/AI Responsibilities Contact
Incident Commander (IC) Founder (Taya Chu) Final decision authority; approves containment actions; authorizes public communications; signs off on post-mortem Telegram (primary), tayachu@gmail.com
Technical Investigator AIRO (Development AI) Root cause analysis; code-level fix implementation; log analysis; forensic data collection ROO CODE session (on-demand)
Automation Responder Hermes Agent 24/7 alert delivery; Telegram notification to Founder (+ Twilio SMS/Voice escalation); cron-scheduled health checks; webhook event routing hermes CLI (always running)
Privacy Officer Taya Chu OPC breach notification within 72 hours; user breach notification; PIPEDA compliance verification privacy@aiorouter.ca
Operations AI AINA Daily anomaly scanning; provider health monitoring; competitor status page checking; weekly security digest generation Hermes cron/webhook triggered
Security Contact Security Team Receives external vulnerability reports; triages disclosures; manages Hall of Fame security@aiorouter.ca

§3.2 — Escalation Path

External Report (security@aiorouter.ca)
    │
    ▼
Founder (Taya Chu) — reviews, classifies severity
    │
    ├── P0/P1 → Immediate Telegram alert
    │           ├── AIRO: Technical investigation
    │           ├── AINA: Automated diagnostics
    │           └── Hermes: Notification delivery
    │
    ├── P2 → Scheduled investigation (within 8h)
    │
    └── P3 → Weekly backlog review

§4 — Response Procedures

§4.1 — P0 Response Procedure

Phase 1: Detection & Acknowledgment (0–15 min)

  1. Alert triggers — AI Firewall surge, PII spike, outbound anomaly, manual report, or external disclosure
  2. Telegram CRITICAL alert sent to Founder via internal implementation evidence
  3. Email sent to privacy@aiorouter.ca via internal implementation evidence
  4. Incident logged by internal implementation evidence with unique incident ID
  5. Founder acknowledges within 15 minutes — if no response, Hermes escalates via Twilio SMS → Voice call

Phase 2: Containment (15 min–1 hour)

  1. Assess blast radius — Determine: affected users, data exposed, systems compromised, attacker entry point
  2. Isolate affected systems:
    • Rotate compromised API keys immediately
    • Enable AI Firewall strict mode (manual: update Cloud Armor rule via Terraform)
    • If API under active attack: scale up Cloud Run instances to absorb, then apply WAF block rules
    • If data exfiltration suspected: pause affected provider routing, rotate all API keys
  3. Preserve evidence — Export relevant Cloud Logging entries, database query logs, audit trail records
  4. Notify Stripe if payment data potentially affected (Stripe dashboard → Report incident)
  5. Document containment actions in incident log

Phase 3: Investigation & Remediation (1 hour–24 hours)

  1. AIRO performs root cause analysis — Code review, log analysis, attack pattern identification
  2. Fix implemented — Code patch, configuration change, infrastructure update
  3. Fix deployed — Via CI/CD pipeline (Founder approval required for production deployment)
  4. Verification — Confirm fix effective, no recurrence within monitoring window
  5. OPC breach report submitted within 72 hours of determination (see §8)

Phase 4: Recovery & Post-Mortem (24 hours–48 hours)

  1. Restore normal operations — Re-enable affected services, lift temporary blocks
  2. User notification — If PII affected: notify users via email within PIPEDA timeline
  3. Status page update — Post incident summary on public status page
  4. 48-hour post-mortem — Blameless analysis using docs/security/post-mortem-template.md
  5. Action items — Tracked in development plan with owner + deadline

§4.2 — P1 Response Procedure

  1. Acknowledge within 1 hour — Founder notified via Telegram WARNING
  2. Contain within 4 hours — Apply temporary mitigations (feature flag, WAF rule, API key rotation)
  3. Investigate — AIRO analyzes root cause; fix implemented in development environment
  4. Deploy fix — After testing, deploy to production (Founder approval)
  5. Post-mortem within 48 hours of resolution

§4.3 — P2 Response Procedure

  1. Acknowledge within 8 hours — Logged in incident tracker
  2. Investigate — Within 24 hours, determine if escalation to P1 is warranted
  3. Fix — Scheduled in next development sprint; deploy within 5 business days
  4. No post-mortem required unless trend analysis shows recurring P2 issues

§4.4 — P3 Response Procedure

  1. Acknowledge within 24 hours — Logged in backlog
  2. Resolve within 7 days — Fix as part of regular maintenance
  3. No formal post-mortem — Document fix in commit message

§5 — Detection Sources & Monitoring

§5.1 — Automated Detection

Source Technology Alert Channel
AI Firewall surge internal implementation evidenceevaluateFirewallSignal() Telegram CRITICAL (P0) or WARNING (P1)
PII detection spike internal implementation evidenceevaluatePiiSignal() Telegram CRITICAL (P0)
Outbound data anomaly internal implementation evidenceevaluateOutboundSignal() Telegram WARNING (P1)
Error rate spike GCP Cloud Monitoring alert policy Email + Telegram
Latency spike GCP Cloud Monitoring alert policy Email
Uptime failure GCP Cloud Monitoring uptime check Email + Telegram
Budget exhausted internal implementation evidenceonThresholdReached Telegram
Provider degraded internal implementation evidenceHealthChecker.deep() Health endpoint

§5.2 — External Reports

§6 — Communication Templates

§6.1 — User Breach Notification Email

Subject: [AIOrouter] Important Security Notice — Privacy Incident

Dear {user_name},

We are writing to inform you of a privacy incident that was detected on {date}.

What Happened:
{breach_description}

What Information Was Involved:
{pii_types_affected}

What We Are Doing:
{steps_taken_to_reduce_risk}

What You Can Do:
{user_recommendations}

For More Information:
Contact our Privacy Officer at privacy@aiorouter.ca.

You have the right to file a complaint with the Office of the Privacy Commissioner of Canada (OPC) at www.priv.gc.ca.

We sincerely apologize for any concern this may cause.

— AIOrouter Security Team

§6.2 — OPC Schedule 1 Breach Report

Generated automatically by internal implementation evidence. Includes all required sections:

  1. Organization name and contact information
  2. Description of the breach
  3. Date or period of the breach
  4. Description of personal information affected
  5. Estimated number of individuals affected
  6. Steps taken to reduce risk of harm
  7. Steps taken to notify affected individuals
  8. Contact information for individuals to obtain more information
  9. Acknowledgment that OPC may contact the organization

§6.3 — Public Status Page Update

## Incident Report — {date}

**Status:** Resolved
**Severity:** {P0|P1}
**Duration:** {duration}

**Summary:**
{one-paragraph summary of what happened}

**User Impact:**
{which services were affected, for how long, how many users}

**Root Cause:**
{technical root cause in plain language}

**Resolution:**
{what was done to fix it}

**Preventive Measures:**
{what changes are being made to prevent recurrence}

**Contact:** security@aiorouter.ca

§6.4 — Internal Incident Declaration (Telegram)

🔴 P0 INCIDENT DECLARED
ID: {incident_id}
Time: {timestamp}
Source: {detection_source}
Description: {description}
Affected: {affected_users_count} users | {affected_services}

Action Required:
1. Investigate source immediately
2. Contain within 1 hour
3. OPC notification within 72 hours if PII breach

Respond with ACKNOWLEDGE to confirm receipt.

§7 — Post-Mortem Process

§7.1 — When

§7.2 — Format

Use the template at docs/security/post-mortem-template.md. Key principles:

§7.3 — Post-Mortem Meeting

  1. Attendees: Founder, AIRO (if technical), AINA (if operational)
  2. Duration: 45–60 minutes
  3. Agenda:
    • Timeline walkthrough (10 min)
    • Root cause analysis (15 min)
    • What went well / what went wrong (10 min)
    • Action items assignment (10 min)
    • Document review & sign-off (5 min)

§7.4 — Storage

Post-mortem documents stored in ops/postmortems/ with naming convention: YYYY-MM-DD-{incident_id}-{short-description}.md

§8 — PIPEDA Breach Notification Checklist

When a breach involving personal information is confirmed:

OPC Breach Report Submission: https://www.priv.gc.ca/en/report-a-concern/report-a-breach/

§9 — Contact Directory

Contact Purpose Address
Security Vulnerability Reports External researcher disclosures security@aiorouter.ca
Privacy Inquiries User privacy questions, DSAR, complaints privacy@aiorouter.ca
Founder (Urgent) P0/P1 incident commander Telegram (primary)
Founder (Email) Non-urgent operations tayachu@gmail.com
OPC Breach Reports PIPEDA mandatory notification https://www.priv.gc.ca/en/report-a-concern/report-a-breach/
Stripe Security Payment security incidents https://dashboard.stripe.com/settings/security
GCP Support Infrastructure incidents https://console.cloud.google.com/support

§10 — Plan Maintenance

Related Documents: