Developer Documentation

Incident Response Plan

Incident Response Plan

For every incident: preserve logs, assign an owner, create an incident record, communicate carefully, recover safely, and run a post-incident review.

Scenarios

### Suspected Fraud

• Detection: risk alerts, unusual velocity, complaints.
• Containment: freeze wallet/account, pause merchant, block device/IP.
• Investigation: review audit logs, ledger, provider logs, KYC.
• Communication: support/compliance approved message.
• Escalation: risk lead, compliance, finance.
• Recovery: unblock or keep restrictions; document decision.

### Provider Outage

• Detection: provider health degraded, failed webhooks, timeout spike.
• Containment: maintenance mode for affected payments/withdrawals.
• Investigation: provider dashboard/API status, queue backlog.
• Recovery: retry verification, replay webhooks, reconcile.

### Payment Duplication

• Detection: duplicate idempotency/provider reference, complaint.
• Containment: stop settlement for affected transaction.
• Investigation: compare payment, transaction, ledger, provider transaction.
• Recovery: reversal workflow; notify parties.

### Webhook Replay

• Detection: duplicate event IDs, repeated provider references.
• Containment: mark duplicates ignored.
• Investigation: webhook event table and signatures.
• Recovery: replay only validated missing events.

### Compromised Customer/Merchant/Admin

• Detection: device change, failed OTP/PIN, support report.
• Containment: force logout, lock account, revoke tokens/API keys.
• Investigation: audit logs, devices, IPs, recent transactions.
• Recovery: reset security, restore access after verification.

### Leaked API Key or Webhook Secret

• Detection: developer report, unusual usage, public exposure.
• Containment: revoke key/webhook, rotate secret.
• Investigation: usage logs and outbound deliveries.
• Recovery: issue new credentials and monitor.

### Database Performance Incident

• Detection: slow query/request logs, high latency, queue backlog.
• Containment: pause heavy exports/reports.
• Investigation: slow query logs, indexes, process list.
• Recovery: add indexes, scale readers, retry jobs.

### Data Breach Suspicion

• Detection: unusual access, leaked data report, admin anomaly.
• Containment: isolate affected credentials/systems.
• Investigation: legal/security-led evidence preservation.
• Communication: use legal-approved breach notification plan.
• Recovery: patch, rotate, monitor, document.

### Settlement Error

• Detection: reconciliation mismatch, merchant report.
• Containment: pause settlement batch.
• Investigation: settlement items, ledger, provider records.
• Recovery: adjustment/reversal workflow and finance signoff.