Incident Response Policy

1. Purpose

CW Timer, LLC is committed to maintaining the security and integrity of the CW Timer service and the data entrusted to us by our customers. This Incident Response Policy outlines how we detect, classify, respond to, and communicate about security incidents.

As a time tracking tool that integrates with ConnectWise Manage, we understand that the security of your API credentials and business data is critical. This policy reflects that responsibility.

2. Scope

This policy applies to all security incidents affecting the CW Timer service, including but not limited to:

• Unauthorized access to customer data or systems
• Data breaches involving personal data or ConnectWise credentials
• Service disruptions caused by security events
• Vulnerabilities discovered in the CW Timer application or infrastructure
• Compromise of third-party services that process CW Timer data

3. Incident Classification

Security incidents are classified by severity to ensure appropriate response and resource allocation:

Severity 1 — Critical

Active breach with confirmed unauthorized access to customer data, ConnectWise API credentials, or payment information. Requires immediate response and customer notification.

Severity 2 — High

Confirmed vulnerability that could lead to unauthorized access, or suspicious activity suggesting a potential breach. Requires urgent investigation and may require customer notification.

Severity 3 — Medium

Security issue that does not involve active exploitation but requires remediation, such as a misconfiguration, dependency vulnerability, or failed access attempt pattern.

Severity 4 — Low

Minor security observations or informational findings that pose minimal risk, such as routine vulnerability scan results or minor policy deviations.

4. Detection and Reporting

We employ multiple layers of monitoring to detect security incidents, including application logging, infrastructure monitoring, and automated alerting for anomalous activity.

If you discover a security vulnerability or suspect a security incident affecting CW Timer, please report it immediately to:

• Email: security@cwtimer.com

When reporting a security concern, please include as much detail as possible: what you observed, when it occurred, and any relevant screenshots or logs. We take all reports seriously and will acknowledge receipt within 24 hours.

5. Notification Timeline

We are committed to timely and transparent communication with affected customers:

• Affected customers — notified within 72 hours of confirming a breach that involves their data
• Regulatory bodies — notified as required by applicable data protection laws (e.g., GDPR supervisory authorities within 72 hours)
• Law enforcement — engaged when there is evidence of criminal activity

Notifications will include the nature of the incident, the data affected, the actions we are taking, and any steps you should take to protect yourself.

6. Containment and Remediation

Upon confirming a security incident, our response team takes the following steps:

6.1 Immediate Containment

• Isolate affected systems to prevent further unauthorized access
• Revoke compromised credentials and access tokens
• Preserve evidence for investigation

6.2 Investigation

• Determine the root cause and full scope of the incident
• Identify all affected data and customers
• Assess the impact and potential for ongoing risk

6.3 Remediation

• Patch vulnerabilities and close attack vectors
• Restore affected systems from verified clean backups where necessary
• Implement additional safeguards to prevent recurrence

7. ConnectWise Credential Guidance

If a security incident potentially affects ConnectWise API credentials stored in CW Timer, we will notify affected customers with specific guidance, including:

• Immediately rotate your ConnectWise API keys used with CW Timer
• Review ConnectWise Manage audit logs for any unauthorized activity during the affected period
• Re-enter your new API credentials in CW Timer once the incident is resolved
• Consider restricting API key permissions to the minimum required scopes

We encrypt all ConnectWise API credentials at rest using AES-256-GCM and in transit using TLS, but credential rotation is a standard precaution following any potential exposure.

8. Post-Incident Review

After every Severity 1 or Severity 2 incident, we conduct a post-incident review that includes:

• A detailed timeline of the incident from detection to resolution
• Root cause analysis
• Assessment of the effectiveness of our response
• Identification of improvements to prevent similar incidents
• Updates to this policy, security controls, or monitoring as needed

For incidents affecting customer data, we will share a summary of the post-incident review with affected customers, including what happened, what we did about it, and what we changed to prevent recurrence.

9. Continuous Improvement

We regularly review and update our security practices, including this incident response policy. Our security posture is informed by industry best practices, threat intelligence, and lessons learned from incidents — both our own and those disclosed by peers in the MSP tools ecosystem.

10. Related Policies

This policy should be read in conjunction with our other legal and security documents:

• Privacy Policy
• Terms of Service
• Data Processing Agreement
• Data Rights (GDPR & CCPA)

11. Contact

To report a security concern or ask questions about this policy:

• Security reports: security@cwtimer.com
• General inquiries: privacy@cwtimer.com
• Contact page: cwtimer.com/contact