Legal

Incident Disclosure Policy

How we detect, respond to, and disclose security incidents.

Last updated: April 25, 2026

This policy describes how 3D3D identifies, responds to, and communicates security incidents affecting ORA and customer data.

1. What Constitutes an Incident

  • Data breach: Unauthorized access to, disclosure of, or loss of personal data or confidential customer information
  • Service disruption: Unplanned outages or degradation affecting ORA availability
  • Agent security event: Agent execution that exceeds configured authority due to a security failure
  • Account compromise: Unauthorized access to a customer account
  • Infrastructure compromise: Unauthorized access to ORA’s systems or infrastructure

2. Detection and Containment

Upon identifying a potential incident, we:

  1. Assess severity and scope within 2 hours
  2. Contain the incident (revoke compromised credentials, isolate affected systems)
  3. Preserve evidence for investigation
  4. Engage incident response procedures
  5. Eradicate root cause
  6. Restore services
  7. Conduct post-incident review

3. Notification Timeline

  • Affected customers: Within 72 hours of confirming a personal data breach (GDPR requirement). We err on the side of earlier notification.
  • Data Protection Authorities: Within 72 hours for breaches affecting EU residents, as required by GDPR Article 33.
  • All customers: For significant service disruptions, via status page and email within 1 hour of confirmed incident.

4. Notification Contents

Data breach notifications will include:

  • Nature and scope of the incident
  • Categories and approximate number of data subjects affected
  • Categories and approximate volume of records involved
  • Likely consequences of the breach
  • Measures taken or proposed to address the breach
  • Contact information for questions

5. Reporting a Security Issue

If you believe you have discovered a security vulnerability or incident, contact us immediately at info@3d3d.ca with “Security Incident” in the subject. For vulnerabilities, see our responsible disclosure process in the Security Policy.

6. California Transparency

For incidents involving California residents, we comply with the California Consumer Privacy Act (CCPA) breach notification requirements and the California Transparency in Frontier AI Act (TFAIA) reporting requirements for significant safety incidents.