Incident Response

Funds safety first. OpenSettle is non-custodial. We never take custody of, control, or hold signing authority over any user's digital assets. Our infrastructure cannot sign transactions on a merchant's behalf and cannot move funds out of a merchant wallet. A full compromise of OpenSettle infrastructure does not endanger funds held in merchant wallets, because the system that would be needed to move those funds — your private keys — never touches our servers. This is the architectural reason we built OpenSettle this way.

Notification commitment. If we confirm a security incident that affects your data or your funds, we will notify you within 72 hours of confirmation. Notification is sent to all workspace admins by email, posted to opensettle.io/status, and surfaced as a banner inside the dashboard. We notify even when not strictly required by law — silence is not a strategy we use.

Statutory minimums and overlap. We comply with the strictest applicable breach-notification law for each affected user. That includes GDPR Article 33 (72 hours to the supervisory authority for EU/EEA personal data breaches), the New York SHIELD Act, California Civil Code section 1798.82 as amended by AB 1130, the UK Data Protection Act 2018, and equivalent state and national regimes. When two laws conflict on timing, scope, or recipient, we follow the strictest reading.

Internal procedure. We page the on-call engineer, isolate affected systems, contain the incident, preserve forensic evidence, complete a root-cause analysis, notify customers, and publish a postmortem. We deliberately do not publish operational detail (paging rotations, runbooks, tooling) on this page because that information helps attackers more than it helps the public. We are happy to share more under NDA with enterprise customers who require it for their own vendor-risk review.

Postmortems. For any material incident — defined as one that triggered customer notification or significant service degradation — we publish a public postmortem within 30 days, linked from opensettle.io/status and emailed to affected workspace admins. Postmortems cover what happened, what we knew when, what we changed, and what the customer impact was. We do not redact root cause to look better.

Compromised merchant API keys. API keys cannot move funds. They can read workspace state and create payment intents addressed to wallets the merchant has already configured. If a key is exposed: log in to the dashboard and revoke it from Settings → API keys; rotate the key (the old key stops working immediately, the new key is issued at the same moment); review the audit log for unexpected activity in the affected window; review on-chain settlement addresses to confirm they have not been changed. If you cannot access your dashboard, email security@opensettle.io with subject line "API key incident" and we will revoke the key on your behalf after identity verification.

Reporting an incident to us. If you suspect an incident affecting your OpenSettle account or our infrastructure, write to security@opensettle.io. Mail transits TLS-encrypted to our inbox. A dedicated PGP key will be published at /.well-known/pgp-key.txt when available — see /legal/vulnerability-disclosure for the current state. For non-confidential operational issues use opensettle.io/status or support@opensettle.io.

Status and history. opensettle.io/status is the canonical source for current and historical incidents. Postmortems, the platform security audit, and any third-party assessments are available on request — email security@opensettle.io.