Rationarium Incident Notification Policy
Effective Date: January 1, 2026 Review Cycle: Annual Policy Owner: Chief Executive Officer / Chief Technology Officer, Rationarium Inc. Last Documented Review: December 9, 2025
Purpose
This policy defines Rationarium Inc.’s commitments for detecting, notifying, and communicating about security incidents and service outages that affect institutional customers.
Scope
Covers any event — actual or reasonably suspected — involving:
- Unauthorized access to or disclosure of customer data
- Loss, corruption, or unavailability of customer data
- Compromise of the infrastructure hosting a customer environment
- Service outages exceeding thirty (30) minutes and affecting one or more customer instances
Detection
Rationarium detects incidents through a combination of:
- Continuous monitoring using Prometheus, Grafana, Uptime Kuma, and custom WeBWorK health exporters
- Automated alerting to on-call push notification via ntfy
- Customer reports received at support@rationarium.org or directly at andrew@rationarium.org
- Upstream advisories from DigitalOcean, the WeBWorK open-source community, and public security feeds
Incident Response
Rationarium’s written incident response runbook guides investigation, containment, remediation, and review. Incidents are handled by the CEO/CTO with support from the WeBWorK community for application-layer matters.
Notification Commitments
Rationarium commits to the following notification timelines for any confirmed incident:
| Incident Type | Notification Target | Delivery Channel |
|---|---|---|
| Suspected or confirmed data breach | ≤ 4 hours from confirmation | Direct email to designated customer contacts, plus any additional parties required by contract or law |
| Service outage affecting availability | ≤ 1 hour from confirmation | Status page plus direct email to customer administrator |
| Significant unplanned configuration change | ≤ 4 hours from change | Direct email to customer administrator |
Initial notification includes what is known at the time. Updates are delivered at least daily until the incident is resolved. A written post-incident report is delivered within five (5) business days of resolution, summarizing:
- Timeline of events
- Scope of the incident and any data affected
- Root cause
- Containment and remediation actions taken
- Preventive measures implemented or planned
- Recommendations to the customer, where applicable
University System of Georgia (USG) Specific Commitment
For Rationarium instances hosted on behalf of University System of Georgia institutions, in the event of a confirmed security incident or data breach affecting USG data, Rationarium will promptly notify all of the following within four (4) hours of confirmation:
- GeorgiaVIEW — georgiaview@usg.edu
- USG Cybersecurity — cybersecurity@usg.edu
- USG Support — support@usg.edu
- The affected USG institutional customer
Rationarium Inc. acknowledges this requirement and will honor it for any USG instance during the term of the hosting agreement.
Regulatory Notification
Rationarium will cooperate with institutional customers in meeting their own regulatory notification obligations under FERPA, applicable state breach-notification laws, and other relevant regulations. Rationarium does not substitute for the institution’s own legal counsel or regulator relationships.
Customer Responsibilities
To enable timely notification, customers are asked to:
- Provide current email addresses for at least two designated administrative contacts
- Notify Rationarium promptly when administrative contacts change
- Forward suspected security concerns to andrew@rationarium.org
Policy Review
This policy is reviewed annually. Any change affecting notification commitments will be communicated to customer administrators with at least thirty (30) days notice before taking effect.