Effective Date: 2026-05-14
Document Owner: Diego Fentanes, President, NSP Supplements Inc.
Next Scheduled Review: 2026-11-10 (six-month cadence)
Version: 1.0
1. Purpose and scope
This Incident Response Plan ("IRP") defines how NSP Supplements Inc. ("NSP Nutrition") detects, contains, eradicates, and recovers from information security incidents that may involve, expose, or compromise Amazon Information, Selling Partner data, customer Personally Identifiable Information (PII), or any other confidential business data processed by NSP Nutrition or its tooling.
This plan applies to all NSP Nutrition personnel, contractors, vendors, and third-party processors who handle, store, or transmit information on behalf of NSP Nutrition. It governs incidents on every system used in the operation of the business, including the internal analytics dashboard ("AdsManiac"), Shopify Admin, Amazon Selling Partner integrations, ShipBob fulfillment, Google Ads, Meta Ads, and Cloudflare-hosted properties.
2. Definitions
- Security Incident: Any actual or suspected event that compromises the confidentiality, integrity, or availability of Amazon Information or other protected data, including unauthorized access, data exfiltration, credential compromise, malware infection, denial of service, or accidental disclosure.
- Amazon Information: Any data retrieved from Amazon Selling Partner API or otherwise originating from Amazon systems, including order, inventory, pricing, advertising, and financial data.
- PII: Personally Identifiable Information, including names, addresses, email addresses, phone numbers, and payment data.
- Detection: The moment a credible signal of a security incident is observed by any NSP Nutrition personnel or monitoring system.
3. Defined roles and responsibilities
3.1 Incident Commander (IC)
Primary: Diego Fentanes, President — diego@nspnutrition.com — +1 (941) 544-7242
Secondary: Designated Operations Lead
The Incident Commander is the single point of accountability during an incident. Responsibilities: declare incidents, authorize containment actions, coordinate cross-functional response, approve external communications, and authorize regulatory notifications including notification to security@amazon.com when Amazon Information is involved.
3.2 Technical Lead
Primary: Diego Fentanes (also acts as Technical Lead given the lean operating structure)
Secondary: Any contracted developer with documented system access
Responsibilities: triage the incident, gather forensic evidence, perform containment (credential rotation, access revocation, isolation), perform eradication, and lead recovery.
3.3 Communications Lead
Primary: Diego Fentanes
Responsibilities: draft and approve all internal and external communications, including customer notifications (where legally required), regulator notifications, and partner notifications.
3.4 Compliance and Legal Liaison
Primary: Diego Fentanes (acting), with retained outside counsel engaged when needed
Responsibilities: assess legal obligations under applicable laws (e.g., state breach notification statutes, GDPR where applicable), advise on regulatory reporting, and maintain the chain-of-custody for evidence preservation.
4. Incident detection and reporting
All NSP Nutrition personnel are required to report suspected security incidents to the Incident Commander immediately upon detection through any of the following channels:
- Email: diego@nspnutrition.com with subject prefix "SECURITY INCIDENT"
- Direct phone or SMS: +1 (941) 544-7242 (monitored 24/7 by the Incident Commander)
Detection signals include but are not limited to: anomalous Amazon SP-API call patterns, unrecognized logins to Shopify Admin, unexpected credential prompts, alerts from Cloudflare or hosting providers, anti-virus or EDR alerts, third-party breach disclosures, or any customer or partner report indicating a possible compromise of NSP Nutrition systems or data.
5. 24-hour incident notification procedures
Once a security incident is detected and triaged, the Incident Commander follows this notification timeline. The maximum elapsed time from detection to first notification of affected parties is 24 hours.
| Hour from detection | Action | Owner |
|---|---|---|
| 0 – 1 | Initial triage; classify severity (Low / Medium / High / Critical); confirm scope of affected data | Technical Lead |
| 1 – 4 | Containment actions: rotate credentials, revoke compromised access, isolate affected systems | Technical Lead |
| 4 – 12 | Forensic evidence collection; document the timeline; identify root cause | Technical Lead |
| 12 – 24 | Notify affected external parties as required, including Amazon at security@amazon.com when Amazon Information is involved, and any other partners or regulators | Incident Commander |
Amazon-specific obligation: If a security incident involves Amazon Information (data retrieved from Selling Partner API or otherwise originating from Amazon systems), NSP Nutrition will notify Amazon at security@amazon.com within 24 hours of detection. The notification will include: a description of the incident, the type of Amazon Information involved, the estimated number of records affected, the date and time of detection, containment actions taken, and a point of contact at NSP Nutrition.
6. Containment, eradication, and recovery
6.1 Containment
Immediate actions taken to limit damage and prevent further unauthorized access:
- Rotate all potentially exposed credentials (Amazon SP-API LWA tokens, Shopify admin tokens, Meta Ads tokens, Google Ads OAuth, ShipBob PATs, Cloudflare tokens)
- Revoke active sessions in affected admin panels
- Block suspicious IP addresses at the Cloudflare layer
- Isolate any compromised endpoint from the network until forensically cleared
6.2 Eradication
Remove the root cause of the incident: patch vulnerabilities, remove malware, terminate unauthorized accounts, and validate that no persistent access remains.
6.3 Recovery
Restore affected systems to normal operation, monitor for recurrence for at least 30 days, and reissue rotated credentials to authorized users with mandatory multi-factor authentication.
7. Post-incident review
Within 30 days of incident closure, the Incident Commander conducts a formal post-incident review covering:
- Timeline of events from detection through recovery
- Root cause analysis
- Effectiveness of detection, containment, and recovery actions
- Lessons learned
- Specific corrective actions with owners and due dates
- Updates to this plan if applicable
The post-incident review is documented and retained for at least three years.
8. Six-month plan review
This Incident Response Plan is reviewed and updated at least every six months, or sooner if any of the following occurs:
- A material change in the systems, vendors, or data flows operated by NSP Nutrition
- A real incident is declared and closed
- A new regulatory or contractual obligation applies
- A new tool or third-party integration is added that handles Amazon Information or PII
The Incident Commander is responsible for scheduling and conducting the review. The next scheduled review date is 2026-11-10. The review covers: role assignments, contact information, contained vendor list, notification thresholds, and the relevance of each control section.
9. Vendor and third-party considerations
Where a security incident involves a third-party service provider (Shopify, Amazon, ShipBob, Cloudflare, Google, Meta, Higgsfield, Microsoft Clarity, or others), NSP Nutrition coordinates with that provider's security team in addition to internal response actions. NSP Nutrition maintains the right to terminate any vendor relationship in which the vendor's security practices materially fail to meet NSP Nutrition's standards.
10. Credentials and access management
All credentials used to access Amazon Information and other protected data are stored exclusively in the operating system's secure credential vault (Windows Credential Manager via keytar). Credentials are never stored in source control, never hardcoded in application code, never shared via insecure channels, and never embedded in public documents.
Access to credentials is limited to personnel with a documented business need. The Incident Commander reviews credential inventory and access at each six-month plan review.
11. Encryption
NSP Nutrition encrypts Amazon Information in transit using TLS 1.2 or higher for all API communications. Data at rest on operator workstations is protected by full-disk encryption (BitLocker on Windows or FileVault on macOS).
12. Approval and acknowledgement
This Incident Response Plan is approved by Diego Fentanes, President, NSP Supplements Inc., and is effective as of the Effective Date listed at the top of this document.
All personnel and contractors with access to Amazon Information or protected data acknowledge receipt of this plan and agree to follow its procedures.
Contact for security matters: diego@nspnutrition.com | +1 (941) 544-7242
For Amazon-related security incidents, NSP Nutrition will additionally notify security@amazon.com within 24 hours of detection.