Incident Response
Operating commitment. Any team member who suspects unauthorised access, disclosure, loss, alteration, or unavailability of Customer Personal Data must escalate it immediately. Ravan.ai will notify affected Customer contacts within 24 hours after confirming an incident affecting their Customer Personal Data, and will not wait for a complete root-cause analysis before giving that notice.
One-page response process
Open an incident immediately
Any employee, contractor, or service provider who identifies a suspected security event must report it to the incident lead through the security escalation channel immediately and no later than one hour after discovery. Suspected events include exposed credentials, unauthorised access, misdirected data, malware, lost devices, unexpected deletion, and abnormal access to recordings or transcripts.
The incident lead assigns an owner, opens a time-stamped incident record, records the affected systems and customers, and begins an evidence log. The reporter must not delete logs, rotate credentials, or alter evidence before the incident lead has directed containment.
Stop further exposure
- Disable or rotate exposed credentials and revoke active sessions.
- Restrict the affected user's access to the minimum needed for investigation.
- Pause affected integrations, exports, or call workflows where necessary to prevent continued exposure.
- Preserve relevant audit logs, access records, configuration history, and affected call-session identifiers.
Determine whether Customer Personal Data is affected
The incident lead determines, as quickly as practicable, whether Customer Personal Data was involved; the affected customers; the categories and approximate volume of data; likely consequences; and the containment actions already taken. The assessment is recorded even where the conclusion is that no Customer Personal Data was affected.
Tell the affected customer within 24 hours of confirmation
Once Ravan.ai confirms an incident affecting Customer Personal Data, the incident lead notifies each affected Customer's designated security or privacy contact within 24 hours. The initial notice may be preliminary, but will include the known facts, the affected systems or data categories, containment actions, and a contact for follow-up. Ravan.ai will provide material updates as the investigation develops.
The Customer remains responsible for notifications to regulators and data subjects unless the Agreement states otherwise. Ravan.ai will provide reasonable information and assistance required for those notifications under the Data Processing Addendum.
Restore safely and prevent recurrence
Before returning an affected service to normal operation, the incident lead verifies that containment is effective and that any required access, configuration, or deployment changes have been reviewed. Within ten business days after closure, the incident owner documents root cause, corrective actions, owners, and due dates. Material actions are tracked to completion and tested.
Report a security incident
Include the affected workspace or customer, relevant phone number or call-session ID, time discovered, and any immediate containment action already taken.