VelisAds Network

Incident Response Policy

Effective date: February 27, 2026 | Version: 2026.03-global

This policy defines how VelisAds identifies, triages, contains, communicates, and resolves security, fraud, privacy, and reliability incidents.

All employees, contractors, and operational partners must follow this policy.

Incident Classes

  1. SEV-1: Active breach, data exposure, financial abuse, or widespread service outage.
  2. SEV-2: High-risk exploit path, account takeover pattern, or critical subsystem instability.
  3. SEV-3: Limited-scope defect with material user impact or policy enforcement failure.
  4. SEV-4: Low-impact operational issue with no immediate trust or security risk.

Response Lifecycle

1) Detect and Triage

  • Any alert from monitoring, fraud systems, support, or engineering opens an incident ticket.
  • Responder validates scope, affected systems, and initial severity within defined on-call windows.
  • Potential legal or privacy events are escalated immediately to security owners.

2) Contain and Stabilize

  • Containment actions may include rate-limit tightening, endpoint restriction, campaign pause, or account lock.
  • Temporary controls must prioritize user safety and billing integrity.
  • All containment actions require timestamped operator notes.

3) Recover and Validate

  • Permanent fix and rollback strategy are reviewed before production rollout.
  • Recovery criteria include error-rate normalization, fraud-signal stabilization, and data consistency checks.
  • Post-fix monitoring remains elevated until closure criteria are met.

Communication Standards

  1. SEV-1 and SEV-2 incidents require immediate internal broadcast with owner, scope, and mitigation plan.
  2. User communication must be factual, time-stamped, and limited to verified information.
  3. Public status updates should include impact, workaround (if available), and next checkpoint time.
  4. Regulatory notification timelines must be followed where required by law or contract.

Evidence and Audit Requirements

  1. Incident record must include root cause, timeline, blast radius, and recovery actions.
  2. Security logs, relevant headers, and API request traces must be retained for forensic review.
  3. Billing-impact incidents must include reconciliation summary and remediation outcome.
  4. Each closed incident needs corrective and preventive actions with owners and due dates.

Post-Incident Review

  1. Conduct blameless review within 5 business days for SEV-1/SEV-2 incidents.
  2. Track action items in release planning until verified as complete.
  3. Update relevant policies, runbooks, and automated controls based on findings.

Operational Interpretation and Regional Mapping

These requirements should be interpreted as global baseline controls for a live ad operations platform. Teams must map each requirement to local legal obligations, contractual duties, and traffic-source constraints before enabling production delivery at scale.

When regional regulations impose stricter standards, the stricter standard applies. Where legal ambiguity exists, operations should default to least-risk handling and documented escalation to legal or compliance owners.

Policy-to-Workflow Mapping

  • Map each policy control to one concrete workflow checkpoint.
  • Define accountable owner, review cadence, and evidence source.
  • Link policy failures to clear remediation and rollback actions.
  • Track policy exceptions with expiry and approval metadata.

Evidence and Audit Quality

  • Keep verifiable logs for approvals, enforcement, and account state changes.
  • Maintain immutable records for policy acceptance and version changes.
  • Preserve incident evidence with timestamp accuracy and actor context.
  • Support regulator and partner audits with structured evidence retrieval.

Release and Change Governance

  • Run policy impact review before major workflow or billing changes.
  • Gate high-risk releases behind compliance and security readiness checks.
  • Document rollback criteria for policy or abuse regressions.
  • Communicate material policy updates with effective-date clarity.

Extended Compliance Checklist

  1. Confirm access controls for admin, publisher, advertiser, and support roles.
  2. Verify domain ownership, sitemap coverage, and install-code integrity before launch.
  3. Validate ad creatives, landing behavior, and category eligibility rules.
  4. Ensure budget, spend, and settlement paths align with billing model selection.
  5. Run fraud and abuse controls for both ad-serving and click attribution pathways.
  6. Confirm user data handling for consent, retention, and rights-response timelines.
  7. Check payout safeguards, webhook integrity, and transaction audit visibility.
  8. Review security events, incident triage flow, and postmortem documentation quality.
  9. Ensure policy pages remain reachable, indexable, and version-consistent in sitemap.
  10. Require periodic policy refresh training for operational and support teams.

Policy FAQ for Operations Teams

How often should this policy be reviewed?

Review before each major release and at recurring governance intervals, especially when billing logic, targeting controls, or verification workflows change.

What happens if live behavior conflicts with policy text?

Live enforcement should default to safer behavior immediately, then trigger incident review and documented correction to either implementation or policy wording.

How should teams handle partner-specific requirements?

Apply partner requirements as stricter overlays where needed, while preserving baseline platform controls and maintaining auditable policy-to-process mapping.