Incident Response Policy

How HookPilot detects, contains, investigates, discloses and learns from security and AI-safety incidents.

Version 1.0.0Effective May 30, 2026Last reviewed May 30, 2026
Plain-English summary. When something breaks, leaks, or gets attacked, HookPilot follows a documented runbook owned by the Internal Security department (-HPS). We notify the right regulators and customers within the legal windows (GDPR 72h, SEC 4 business days, HIPAA 60 days, state laws), and we publish a post-incident review for material events.

1. Scope

This policy covers security incidents (confidentiality, integrity, availability) and AI-safety incidents (a chartered agent produced unsafe output, bypassed veto, or caused customer harm). It applies to HookPilot Caption Studio LLC's production systems, customer workspaces, sub-processors handling customer data, and HookPilot-authored AI agents.

2. Severity Levels

  • SEV-1 — confirmed data exposure, ransomware, platform-wide outage, AI-safety incident with imminent customer harm.
  • SEV-2 — credible exposure indicators, single-tenant outage, repeated AI veto bypass, sub-processor compromise.
  • SEV-3 — degraded service, low-impact vulnerability, isolated agent misbehavior.
  • SEV-4 — informational, near-miss, drill, third-party advisory with no HookPilot exposure.

3. IR Phases

HookPilot follows NIST SP 800-61 phases: preparation → detection & analysis → containment → eradication → recovery → post-incident review. Each phase has named owners, defined entry / exit criteria, and a Slack-bridged war room template.

4. Roles (HookPilot Internal Security — -HPS)

  • Vault-HPS — secrets and key custody, rotation, vault hygiene.
  • Guard-HPS — perimeter, WAF, bot mitigation, abuse signal.
  • Sweep-HPS — vulnerability scanning, SBOM, patch SLA enforcement.
  • Trace-HPS — forensic timeline construction, log preservation, evidence chain.
  • Codex-HPS — disclosure orchestration (SEC 4-day / GDPR 72-hour / HIPAA 60-day / NYDFS 72-hour / state AG rules).
  • Shield-HPS — independent veto for any disclosure or mitigation that would otherwise breach policy or law.

5. Detection

Signals come from: managed detection (cloud provider + edge), SIEM correlation on shipped logs, anomaly detection on agent-run telemetry, customer reports via security@hookpilot.co, and the responsible-disclosure channel. Every signal opens a triage ticket within 15 minutes.

6. Containment

Containment objectives, in priority order: (1) protect customer data; (2) preserve forensic evidence; (3) stop spread; (4) keep service available where possible. Pre-approved containment playbooks exist for credential exposure, lost device, ransomware, data exfiltration, sub-processor compromise, agent veto bypass and prompt-injection exploit.

7. Disclosure Timelines

TriggerWindowAudience
Personal data breach under GDPR / UK GDPR72 hours from awarenessLead supervisory authority + affected customers
HIPAA breach affecting ePHI (where BAA active)Without unreasonable delay, ≤60 daysCovered Entity + individuals + HHS
Material cybersecurity incident under SEC Reg S-K Item 1.054 business days (if HookPilot becomes SEC-registered)SEC + investors
NYDFS-regulated customer impact72 hoursAffected NY-DFS entity
U.S. state notification thresholdsState-specific (typically ≤45 days)Residents + state AG
Enterprise customer security incident clausePer executed order formNamed contact

8. AI-Safety Incidents

If a HookPilot agent produces materially false or harmful output that reaches a third party — for example, a customer publishes Caption Studio output that names a real person falsely, or a Legal & Compliance agent's response is acted on as professional advice — we treat it as a SEV-2 by default. The IR runbook adds: prompt and memory snapshot, framework-library version capture, veto-trail audit, and a fix that lands in the affected agent's charter or hallucination self-check.

9. Post-Incident Review

SEV-1 and SEV-2 incidents always get a written post-incident review (PIR). The PIR is blameless, includes a timeline, root-cause analysis, customer impact, and remediation tickets tracked to closure. PIR summaries are shared with affected Enterprise customers under NDA.

10. Tabletop and Chaos Exercises

HookPilot runs a tabletop exercise quarterly and a controlled chaos drill (load shed, region failover, secrets rotation) twice a year. Findings feed the IR runbook and the SOC 2 readiness program (see SOC 2 Readiness Framework).

11. Contact

Active incident reports (24/7): security@hookpilot.co. Customer-side incident notifications during an active SEV-1 are sent from status@hookpilot.co and posted to status.hookpilot.co.