Menu
Feedback
Start here
Tutorials


Tutorials
Explore in-depth tutorials for operating your VTEX store.
Tutorials
Security
Information security compliance
Security Incident Response Plan

VTEX has a structured Security Incident Response Plan designed to minimize risks, mitigate impact, and ensure a swift recovery from security incidents. This plan consists of the following phases: preparation; containment, eradication, and recovery; identification; communication; and post-incident activities.

{"base64":"  ","img":{"width":1836,"height":536,"type":"png","mime":"image/png","wUnits":"px","hUnits":"px","length":51241,"url":"https://raw.githubusercontent.com/vtexdocs/help-center-content/refs/heads/main/docs/en/tutorials/Security/Information%20security%20compliance/security-incident-response-plan_1.png"}}

1. Preparation

To prevent security incidents, VTEX takes the following measures:

  • Assessing environment risks.
  • Implementing security baselines and applying patch updates regularly.
  • Enforcing least privilege access controls.
  • Safeguarding perimeter security.
  • Preventing malware infections.
  • Conducting security awareness campaigns.

2. Containment, eradication, and recovery

Before taking corrective actions, VTEX collects, preserves, protects, and documents all evidence.

All assets involved in the incident must be preserved, and no evidence can be deleted or changed without proper authorization. If the evidence contains confidential information, encryption is mandatory.

After resolving an incident, VTEX assesses whether other environments are exposed or have already suffered the same type of attack to address the root cause. The responsible team must re-establish uncompromised safeguards.

3. Incident identification

An anomalous event is classified as a security incident if it affects the availability, integrity, or confidentiality of information, systems, or services, or if it results from improper access or an attack.

VTEX also proactively initiates incident management in a preventive manner to avoid the escalation of anomalous events and mitigate potential impact.

4. Communication

This procedure includes an integrated communication plan that is applied throughout all phases of the response. VTEX notifies customers who may have been affected by the incident within 24 hours of confirming the incident.

5. Post-incident activities

Lessons learned and improvements from the incident response process are collected to improve security controls and to strengthen future incident management.

The objective is to analyze:

  • What happened and how.
  • What actions were taken.
  • Whether the response was effective.

Learn more

Contributors
1
Photo of the contributor
+ 1 contributors
Was this helpful?
Yes
No
Suggest Edits (GitHub)
Penetration tests
« Previous
Reporting vulnerabilities
Next »
Contributors
1
Photo of the contributor
+ 1 contributors
On this page
Still got questions?
Ask the community
Find solutions and share ideas in the VTEX community.
Join our community
Request support from VTEX
For personalized assistance, contact our experts.
Open a support ticket
GithubDeveloper portalCommunityFeedback