Trust
Incident response
We-operate customers receive contractual notification timelines. Customer-VPC operators run the same five-step playbook on their own stack (see operator playbook).
- Detect —
audit_events, smoke-prod gates, operator alerts,fbl_events. - Triage — severity classification within 4 business hours (we-operate).
- Contain — revoke API keys, pause send, isolate Kumo admin.
- Notify — customer security contact per the signed DPA.
- Recover — policy re-apply, epoch bump, matrix re-run.
SLA matrix (we-operate)
| Tier | Acknowledge | Postmortem |
|---|---|---|
| Sev-1 | 30 minutes | 5 business days |
| Sev-2 | 4 hours | 10 business days |
| Sev-3 | next business day | next sprint |
Disclosure intake
Security disclosures: security@postmta.com · Privacy:privacy@postmta.com. We honour co-ordinated disclosure and do not pursue legal action against good-faith researchers.
Customer-VPC ops
Operators using PostMTA Hosted in their own VPC run the same playbook against audit_events, run bash scripts/restore-appliance-drill.sh --check, and reach us via support. We operate the smoke matrix, not their incident timeline.