Incident Response Framework
Toku maintains an Incident Management Response Plan covering the full lifecycle of security and operational incidents: detection, triage, response, resolution, and postmortem. The plan is built for the specific risks of SaaS payroll and cryptocurrency settlement.
Severity Classification
| Level | Description | Response Expectations |
|---|---|---|
| SEV-1 Critical | Broad business impact or regulatory consequence (e.g., global payroll deadline missed, large-scale data breach, payment transfer failures for multiple customers on payday) | All-hands response, Incident Commander and executives engaged within 15 minutes, external communications within 30 minutes, hourly updates until resolved |
| SEV-2 High | Significant functionality impact, multiple customers affected (e.g., payroll API outage in a region) | Response within 15 minutes, customer communication within 1 hour, resolution within same business day where feasible |
| SEV-3 Moderate | Limited impact or clear workaround (e.g., payroll delay for a single customer) | Response within 1 hour, resolution within 1 business day |
| SEV-4 Low | Minimal impact, does not affect payroll execution (e.g., slow report loading) | Tracked and resolved through normal sprint cycle |
Incident Lifecycle
Detection
Incidents are detected through multiple channels: automated application and infrastructure monitoring, anomaly detection, transaction monitoring, payroll data validation jobs, on-call alerting, human reports from employees or customers, and partner escalation from integration partners.
Triage and Classification
The Incident Commander declares the incident, assigns severity, creates an incident ticket with timestamp, description, and severity, opens a dedicated Slack war room channel, and assigns all roles.
Response and Mitigation
Immediate containment may include pausing affected workflows, disabling failing integrations, revoking compromised credentials, restoring queues, deploying fixes, and validating recovery before service is resumed.
Communication
Internal updates flow through the Slack war room with 15-minute stand-ups for SEV-1 incidents. External communications include direct email notifications to affected customers and regulatory notifications within statutory windows (e.g., GDPR 72-hour requirement).
Resolution and Postmortem
Technical validation that systems are restored, reconciliation of payroll data and financial transactions, customer communication confirming closure, and a blameless postmortem within 5 business days. Root cause analysis and corrective actions are documented and tracked.
Roles and Responsibilities
| Role | Responsibility |
|---|---|
| Incident Commander (IC) | Owns the incident from declaration through closure. Manages severity, tasking, and decision log. |
| Technical Lead | Diagnoses root cause, leads remediation, owns rollback/hotfix decisions. |
| Communications Lead | Prepares internal updates, status page posts, and customer emails. Works with Legal before external release. |
| Legal and Compliance Advisor | Assesses regulatory reporting obligations (GDPR, SEC, FinCEN). Provides go/no-go on communications. |
| Customer Success Liaison | Coordinates direct customer outreach and ensures front-line staff are briefed. |
| Payroll Operations Lead | Executes payroll reruns, ensures corrections, validates employee payments. |
| Executive Sponsor | Provides authority, unblocks resources. Typically CEO or CTO. |
Tabletop Exercises
Toku runs quarterly tabletop exercises facilitated by the Security/Compliance team. Scenarios include payment rail disruption, integration outages, security events involving employee data, and payroll calculation incidents.
Exercises include live role assignment, timed injects (media requests, partner outages, customer social media posts), decision-point drills, and conclude with a hotwash and improvement log.
Evaluation metrics: Mean Time to Detection (MTTD), Mean Time to Mitigation (MTTM), communications accuracy, and stakeholder confidence.
Incident Notification to Clients
Toku notifies affected clients within 48 hours of confirming a security event involving customer data or impacting operations. Initial notification may be preliminary pending full investigation, with regular updates throughout.