Menu
Feedback
Start here
Tutorials
Frequently asked questions
Known issues
Troubleshooting
Support rules
Announcements
Status
Developer Portal
Tutorials
Security
Information security compliance
Security Incident Response Plan
2 min read

VTEX has a structured Security Incident Response Plan designed to minimize risks, mitigate impact, and ensure a swift recovery from security incidents. This plan consists of the following phases: preparation; containment, eradication, and recovery; identification; communication; and post-incident activities.

{"base64":" ","img":{"width":1836,"height":536,"type":"png","mime":"image/png","wUnits":"px","hUnits":"px","length":51241,"url":"https://raw.githubusercontent.com/vtexdocs/help-center-content/refs/heads/main/docs/en/tutorials/security/information-security-compliance/security-incident-response-plan_1.png"}}

1. Preparation

To prevent security incidents, VTEX takes the following measures:

  • Assessing environment risks.
  • Implementing security baselines and applying patch updates regularly.
  • Enforcing least privilege access controls.
  • Safeguarding perimeter security.
  • Preventing malware infections.
  • Conducting security awareness campaigns.

2. Containment, eradication, and recovery

Before taking corrective actions, VTEX collects, preserves, protects, and documents all evidence.

All assets involved in the incident must be preserved, and no evidence can be deleted or changed without proper authorization. If the evidence contains confidential information, encryption is mandatory.

After resolving an incident, VTEX assesses whether other environments are exposed or have already suffered the same type of attack to address the root cause. The responsible team must re-establish uncompromised safeguards.

3. Incident identification

An anomalous event is classified as a security incident if it affects the availability, integrity, or confidentiality of information, systems, or services, or if it results from improper access or an attack.

VTEX also proactively initiates incident management in a preventive manner to avoid the escalation of anomalous events and mitigate potential impact.

4. Communication

This procedure includes an integrated communication plan that is applied throughout all phases of the response. VTEX notifies customers who may have been affected by the incident within 24 hours of confirming the incident.

5. Post-incident activities

Lessons learned and improvements from the incident response process are collected to improve security controls and to strengthen future incident management.

The objective is to analyze:

  • What happened and how.
  • What actions were taken.
  • Whether the response was effective.

Learn more

Contributors
2
Photo of the contributor
Photo of the contributor
+ 2 contributors
Was this helpful?
Yes
No
Suggest Edits (GitHub)
Risk Assessment
« Previous
VTEX information security and privacy certificates
Next »
Contributors
2
Photo of the contributor
Photo of the contributor
+ 2 contributors
On this page
Still got questions?
Ask the community
Find solutions and share ideas in the VTEX Community
Join our community
Request VTEX support
For personalized assistance, contact our experts
Open a support ticket
GitHubDeveloper PortalCommunityFeedback