AscenVentBack to home
Security

Breach Policy

If something ever goes wrong, here is what we will do, in what order, and on what timeline.

Last updated: June 2026 · Questions? hello@ascenvent.co

Our commitment: if there is a breach that affects your data, we will tell affected users within 72 hours of confirming its scope. We will tell you what was affected, what we know about how it happened, what we are doing about it, and what you should do next. We will not minimize or obscure a real incident involving user data.

What counts as a breach

For purposes of this policy, a security incident becomes a breach when one or more of the following occurs or is reasonably believed to have occurred:

  • Unauthorized access to user vault content.
  • Personal information disclosed to a party not authorized to receive it.
  • Data destroyed, altered, or made inaccessible through an unauthorized action.
  • A third-party provider we use reports an incident that may have exposed AscenVent user data.

Not every security event is a breach. A failed login attempt, a vulnerability patched before exploitation, or a denial-of-service event that does not affect data can still be serious, but those events do not trigger the user notification process below unless we determine user data was accessed or affected.

What we do when we discover an incident

Within the first hour

  • Escalate the incident to AscenVent's founding team and technical lead.
  • Contain affected systems where necessary.
  • Rotate affected credentials, API keys, and access tokens.
  • Preserve logs and forensic evidence without alteration.

Within 24 hours

  • Complete an initial scope assessment: what data may have been accessed, which users may be affected, and how entry was gained.
  • If the incident involves sensitive vault content, notify affected users as soon as practical rather than waiting for every detail to be final.
  • Consult legal counsel to assess notification obligations under applicable law.
  • If the incident involves a third-party provider, coordinate with that provider on containment and remediation.

Within 72 hours of confirming scope

  • Send affected users a direct notification that explains what happened, what data was affected, what we have done to stop it, and what you should do, if anything.
  • Make regulatory notifications where required by applicable law.
  • Continue follow-up communications as material facts change.

Following remediation

  • Complete a post-mortem and summarize what we found and what we changed.
  • Update our security materials if the incident reveals a gap in our published posture.
  • Offer an account credit or fee waiver to affected users when the severity of the incident warrants it.

What the notification will include

If you receive a breach notification from AscenVent, it will tell you:

  • The date the incident was discovered and, if known, the date it appears to have begun.
  • What type of data was accessed. We will be specific enough for you to understand whether it was contact information, account inventory, uploaded documents, or another category.
  • Whether high-sensitivity vault content was accessed, and if so, the affected categories.
  • What we have done to stop the incident and reduce the risk of recurrence.
  • Whether you need to take action, such as changing credentials for an external account if a recovery-location pointer was exposed.
  • A direct way to contact AscenVent with questions.

What we will never do

  • We will not delay notification to protect our reputation.
  • We will not describe a breach in vague terms designed to minimize your understanding of what happened.
  • We will not ask you to sign a non-disclosure agreement in exchange for information about an incident involving your own data.
  • We will not claim a breach was theoretical or low risk if user data was in fact accessed.

How to report a vulnerability

If you discover a security issue before a bad actor does, please tell us. Email hello@ascenvent.co with the subject line "Security Disclosure" and include:

  • A description of the vulnerability.
  • Steps to reproduce it.
  • What data or systems you believe could be affected.

We will respond in good faith, keep you informed as we investigate, credit you publicly if you would like, and will not pursue legal action against a good-faith reporter.

How to check if you were affected

If you receive a notification that claims to be from AscenVent and are not sure whether it is legitimate, go directly to https://www.ascenvent.co or email hello@ascenvent.co. AscenVent will never ask you to enter your password or vault credentials from an unverified email link.

If you believe you are experiencing an active security emergency related to your account, include "URGENT" in the subject line.