Incident Response & Onboarding
Incident Response
This page documents the incident classification system, the end-to-end response process, escalation paths, the post-mortem template, and communication templates for client-facing outages.
1. Incident Classification
Classify every incident as early as possible. Classification determines the response speed and communication requirements.
| Priority | Name | Definition | Response Window | Examples |
|---|---|---|---|---|
| P1 | Critical / Full Outage | The application is completely unavailable, or a core workflow is broken for all users | 15 minutes | Homepage returns 500, login broken for all users, payments failing for all clients, database unreachable |
| P2 | Major Feature Degraded | A key feature is broken for a significant portion of users, but the application is otherwise available | 1 hour | Invoices cannot be created, email delivery down, file uploads failing, cron jobs not running |
| P3 | Partial / Minor Feature | A feature is degraded for some users, or an edge case is broken | 4 hours | Search returns incorrect results, sorting on a table broken, notifications delayed, minor display issues affecting workflow |
| P4 | Cosmetic / Low Impact | Visual issues, minor UX problems, or non-urgent bugs with no operational impact | Next business day | Button color wrong, typo in UI text, report CSV has an extra column |
It is always better to treat a P2 as a P1 initially and downgrade it after investigation than to treat a P1 as a P2 and miss the response window. Classification can be revised at any point during the incident.
2. Incident Response Steps
a. Detect
Incidents are detected through one of three channels:
- Automated alert โ UptimeRobot downtime notification or Sentry error spike alert fires to the
#crm-alertsSlack channel and primary engineer's email. - User or client report โ A client or staff member reports an issue via support ticket, Slack, or direct message.
- Engineering discovery โ An engineer notices an anomaly during routine work or monitoring review.
When detected: Immediately check the Sentry dashboard and Vercel logs to assess scope and severity before classifying.
b. Classify
Apply the classification table above. Key questions:
- Is the application completely unreachable? โ P1
- Can users log in? โ If no, P1
- Is payment processing broken? โ P1 or P2
- Is it affecting all users or a subset? โ All = higher priority
- How many clients are actively impacted right now? โ More = higher priority
c. Acknowledge
The first engineer to see the alert claims ownership of the incident within the response window:
- Post in
#crm-alerts:"@channel I'm picking up the [P1/P2] incident โ [brief description]. Investigating now." - Do not have multiple engineers independently investigating without coordination โ assign one lead; others assist on request.
d. Communicate
Internal communication:
- Post status updates to #crm-alerts every 15 minutes for P1, every 30 minutes for P2.
- Tag the Tech Lead and Operations Manager for P1.
External communication (clients): - For P1 incidents lasting more than 15 minutes, the Operations Manager sends a client communication (see templates below). - For P2 incidents lasting more than 1 hour, consider proactive communication if the affected feature is client-visible (invoice access, portal login, etc.). - For P3/P4, no proactive client communication unless a client has already reported the issue to you.
Update the status page (UptimeRobot public page) immediately for P1: - Set the affected monitors to "Under Maintenance" to suppress repeated alerts while the incident is active.
e. Investigate
Systematic investigation steps for production incidents:
-
Check recent deployments โ Vercel Dashboard โ Deployments. Did an incident start within 30 minutes of a deployment? That deployment is the prime suspect.
-
Check Sentry โ Look for new issues or spikes that started around the incident time. Check the stack trace for the root cause.
-
Check Vercel edge logs โ Filter by the affected route. Look for 500 errors, timeouts, or unexpected response patterns.
-
Check Supabase โ Supabase Dashboard โ Database โ Logs. Look for query errors, connection pool exhaustion, or RLS policy failures.
-
Check external providers:
- Stripe status:
https://status.stripe.com - Supabase status:
https://status.supabase.com - Vercel status:
https://www.vercel-status.com - Resend status:
https://status.resend.com
If a provider has an active incident, that is likely the root cause โ monitor their status page and wait for resolution.
- Check environment variables โ If a recent deployment changed env vars, verify the values are correct in Vercel Dashboard โ Settings โ Environment Variables.
f. Mitigate
Mitigate before fully resolving when possible โ stop the bleeding, then fix the cause.
| Scenario | Mitigation |
|---|---|
| Bad deployment | Immediately rollback in Vercel Dashboard โ Deployments โ last known-good deployment โ "Promote to Production" |
| Database query causing load | Identify the query in Supabase logs; if it's from a new feature, disable that feature's route temporarily |
| Stripe webhook loop | Disable the webhook endpoint in Stripe Dashboard temporarily; re-enable after fixing the handler |
| Leaked secret | Immediately revoke and rotate (see Secrets Management emergency procedure) |
| Email delivery down | Resend failures affect notifications only โ the app remains functional; inform users of the delay |
g. Resolve
Resolution is complete when:
- The root cause is fixed (not just mitigated).
- The fix is deployed to production.
- Affected functionality is verified to be working in production.
- Any data inconsistencies caused by the incident are corrected.
- External provider incidents are resolved and services confirmed normal.
Declare resolution:
Post in #crm-alerts: "[P1/P2] incident RESOLVED. [Brief summary of root cause and fix]. All services normal. Post-mortem to follow within 48h."
Update the UptimeRobot status page to reflect the incident is resolved.
h. Document โ Post-Mortem
For P1 and P2 incidents, a post-mortem must be completed within 48 hours of resolution. Use the template in Section 4.
3. Escalation Path
Monitoring Alert or User Report
โ
โผ
Primary Engineer
(claim ownership within response window)
โ
โโโ P3/P4: Engineer resolves without escalation
โ
โโโ P2 not resolved in 1 hour โโโบ Tech Lead
โ
โโโ P1 immediately โโโโโโโโโโโโโโโบ Tech Lead + Operations Manager
โ
โโโ Not resolved in 2 hours โโโบ CTO
โ
โโโ Vendor support (Vercel / Supabase / Stripe) as needed
| Role | Responsibility |
|---|---|
| Primary Engineer | Technical investigation and fix |
| Tech Lead | Decision-making on mitigations (rollback, disable feature, etc.); coordinates engineering resources |
| Operations Manager | Client communication, status page updates, internal stakeholder updates |
| CTO | Final authority on major decisions (extended rollback, data loss disclosure, vendor engagement) |
4. Post-Mortem Template
Copy and fill in within 48 hours of P1/P2 resolution.
## Incident Post-Mortem
**Date:** YYYY-MM-DD
**Severity:** P1 / P2
**Duration:** HH:MM (from first detection to full resolution)
**Incident Lead:** [Name]
**Participants:** [Names]
---
### Impact
- Number of users affected:
- Features affected:
- Client-facing impact:
- Data loss or corruption: Yes / No (describe if yes)
---
### Timeline
| Time (UTC) | Event |
|---|---|
| HH:MM | Incident detected via [alert / user report / engineering] |
| HH:MM | Engineer claimed ownership |
| HH:MM | Root cause identified |
| HH:MM | Mitigation applied |
| HH:MM | Fix deployed |
| HH:MM | Resolution confirmed |
---
### Root Cause
[Clear, specific description of what failed and why. Avoid blame โ focus on the system or process failure.]
---
### Fix Applied
[What was changed to resolve the incident.]
---
### Prevention Actions
| Action | Owner | Due Date |
|---|---|---|
| [e.g., Add input validation to the invoice creation route] | [Name] | YYYY-MM-DD |
| [e.g., Add unit test for the failing edge case] | [Name] | YYYY-MM-DD |
---
### Follow-Up Items
- [ ] Update runbook if this incident revealed a gap
- [ ] Add monitoring/alert for this failure mode
- [ ] Review if similar issues exist in related code
5. Client Communication Templates
Use these templates for P1 incidents that are client-visible. Send from the Operations Manager's email.
Initial Notification (send within 15 minutes of P1 declaration)
Subject: SONAN DIGITAL Platform โ Service Disruption Notice
Dear [Client Name / "Valued Client"],
We are writing to inform you that we are currently experiencing a service disruption affecting [describe: the client portal / invoice access / [specific feature]].
Our engineering team is actively investigating and working to restore full service as quickly as possible.
We will provide an update within [30 minutes / 1 hour].
We sincerely apologize for the inconvenience. If you have an urgent need during this period, please contact us directly at [support email / phone].
โ The SONAN DIGITAL Team
Update During Extended Incident (send every 30โ60 minutes for ongoing P1)
Subject: SONAN DIGITAL Platform โ Service Disruption Update
Dear [Client Name / "Valued Client"],
This is an update on the ongoing service disruption we notified you about at [time].
Current status: [The issue has been identified and a fix is being deployed. / We have identified the root cause and are working with [provider name] to resolve it. / We are continuing to investigate.]
Expected resolution: [Estimated time, or "We will provide another update by [time]."]
We appreciate your patience and apologize for the disruption.
โ The SONAN DIGITAL Team
Resolution Notice
Subject: SONAN DIGITAL Platform โ Service Restored
Dear [Client Name / "Valued Client"],
We are pleased to inform you that the service disruption that began at [time] has been fully resolved as of [time].
All platform features are now operating normally. If you experience any further issues, please do not hesitate to contact us at [support email].
We apologize for the inconvenience this caused and are committed to preventing similar incidents. A full review of the root cause has been completed.
Thank you for your patience and understanding.
โ The SONAN DIGITAL Team
Client Onboarding
This guide is for admin staff performing the onboarding of a new agency client into the SONAN DIGITAL CRM. Follow each step in order. The target is to have a client fully onboarded โ with portal access and a scheduled kickoff โ within 24 hours of contract signing.
Overview
| Step | Action | Done by | Expected time |
|---|---|---|---|
| 1 | Create client record | Admin | 5 min |
| 2 | Add primary contact | Admin | 5 min |
| 3 | Assign account manager | Admin | 2 min |
| 4 | Create initial proposal (if applicable) | Admin / Account Manager | 15โ30 min |
| 5 | Set up portal access โ send invitation | Admin | 5 min |
| 6 | Verify invitation received and password created | Admin (confirm with client) | Up to 24 hours |
| 7 | Schedule kickoff meeting | Admin / Account Manager | 5 min |
| 8 | Brief client on portal and send documentation | Admin / Account Manager | 10 min |
Step 1: Create Client Record
- Log in to the CRM admin panel.
- Navigate to Clients โ New Client (or click the + New Client button in the Clients list).
- Fill in all required fields:
| Field | Notes |
|---|---|
| Company Name | Official company name as it will appear on invoices |
| Company/billing email address | |
| Phone | Primary company phone number |
| Address | Full billing address โ required for invoice generation |
| Industry | Optional but useful for reporting |
| Status | Set to Active |
- Click Save.
- Note the new client's ID from the URL โ you will need it to associate contacts, proposals, and projects.
The company email entered here is used for billing correspondence (invoice emails, payment confirmations). It may differ from the primary contact's personal email added in Step 2.
Step 2: Add Primary Contact
Every client must have at least one contact record, and at least one contact should be marked as primary.
- Open the newly created client record.
- Click Contacts โ Add Contact.
- Fill in:
| Field | Notes |
|---|---|
| Name | Full name of the primary contact person |
| Contact's personal work email โ this is the email that will receive the portal invitation | |
| Phone | Direct phone number |
| Title | Job title (e.g., CEO, Marketing Manager) |
| Is Primary | Check this box โ designates this contact as the main point of contact |
- Click Save.
If the client has multiple stakeholders (e.g., a billing contact and a project contact), add all of them now. You can designate one as primary and others as secondary. All contacts are visible in the client record.
Step 3: Assign Account Manager
- Open the client record.
- Find the Account Manager field (or Assigned Manager โ this maps to
assigned_manager_idin the database). - Select the relevant team member from the dropdown.
- Click Save.
The assigned account manager will receive notifications related to this client (new messages, proposal responses, invoice payments, etc.).
If no account manager is assigned, broadcast notifications go to all admin users. Always assign an account manager before the client becomes active.
Step 4: Create Initial Proposal (If Applicable)
If a proposal has not yet been signed, or if a new scope of work needs to be created:
- Navigate to Proposals โ New Proposal.
- Select the Client created in Step 1.
- Fill in the proposal title, description, valid until date, and line items.
- Set status to
Draft. - Review and set to
Sentwhen ready to share with the client.
The client will be able to view and approve the proposal from their portal once they have portal access (Step 5).
If the client already has a signed contract and this onboarding is for a new project cycle, skip this step.
Step 5: Set Up Portal Access โ Send Invitation
The client portal invitation sends an email to the primary contact with a link to create their password and access the portal.
- Open the client record.
- Click Portal Access or Send Invitation (location may vary โ look in the client record action menu or the Contacts section).
- Confirm the invitation will be sent to the primary contact's email address.
- Click Send Invitation.
The system will:
- Create a Supabase Auth user for the contact's email with role client.
- Send an invitation email via Resend with a password setup link (valid for 24 hours by default).
The password setup link in the invitation email expires after 24 hours. If the client does not set up their account within 24 hours, you will need to resend the invitation. Do not send a new invitation without first confirming the client has not already set up their account โ check the CRM for their login status.
Step 6: Verify Invitation Received and Account Created
This is a critical verification step โ do not mark onboarding complete until confirmed.
- Within 4 hours of sending the invitation, follow up with the client to confirm the invitation email was received.
- Check their spam/junk folder if not received.
-
If not received after 15 minutes, see Common Issues below.
-
Confirm the client has successfully created their password and can log in:
- Ask the client to confirm they can access
https://yourdomain.comand see their dashboard. -
Alternatively, check the CRM for a
last_sign_intimestamp on the client's user record. -
Verify the client can see relevant data โ confirm they can view their proposals, project status, and any shared files from their portal.
Step 7: Schedule Kickoff Meeting
- Coordinate with the client and the assigned account manager to find a meeting time.
- Schedule the kickoff in the CRM Appointments module or the team calendar tool.
- Send a calendar invite to:
- The client's primary contact
- The assigned account manager
- Any other relevant team members
The kickoff meeting agenda should cover: - Introduction to the account team - Review of scope and deliverables - Communication and feedback expectations - Walk-through of the client portal - Q&A
Step 8: Brief Client on Portal and Share Documentation
After the client has portal access:
- Send the client the Client Portal Guide link:
- Share the documentation portal URL and direct them to the Client Guide section.
- Briefly explain the key portal features:
- Viewing and approving proposals
- Signing contracts electronically
- Making invoice payments
- Tracking project progress
- Submitting support tickets
- Provide the support contact email for any portal access issues.
Onboarding Checklist (Quick Reference)
Print or copy this checklist for use during actual onboarding:
CLIENT ONBOARDING CHECKLIST
Client: ________________________ Date: ______________
Onboarded by: __________________
[ ] 1. Client record created (company name, email, phone, address, status = Active)
[ ] 2. Primary contact added (name, email, phone, title, is_primary = true)
[ ] 3. Account manager assigned
[ ] 4. Initial proposal created (or N/A โ contract already signed)
[ ] 5. Portal invitation sent to: ________________________ (email)
[ ] 6. Client confirmed invitation received
[ ] 7. Client confirmed successful login to portal
[ ] 8. Client can view their proposals / projects in portal
[ ] 9. Kickoff meeting scheduled: ____________ (date/time)
[10] Client briefed on portal features and documentation link shared
Timeline Target
| Milestone | Target |
|---|---|
| Client record created | Same day as contract signing |
| Portal invitation sent | Within 4 hours of contract signing |
| Client confirms portal access | Within 24 hours of invitation |
| Kickoff meeting scheduled | Within 48 hours of contract signing |
| Kickoff meeting held | Within 5 business days of contract signing |
Common Issues
Invitation email not received
- Ask the client to check their spam / junk folder first.
- Verify in Resend Dashboard that the email was delivered successfully (look for the contact's email in sent emails).
- If Resend shows delivery but the client still cannot find it, the email may have been filtered by the client's corporate mail gateway. Ask their IT team to whitelist
@resend.dev(or your sending domain). - If the email was not sent (Resend shows no record), check that the contact's email was correctly entered in Step 2 and resend the invitation.
Client is confused about MFA / authentication
The client portal does not require TOTP MFA by default (only admin/staff accounts require MFA). The client simply sets a password via the invitation link. If they are seeing a two-factor prompt, verify their account was created with the correct role (client, not admin).
Invitation link has expired
- Go to the client's contact record.
- Click Resend Invitation.
- Notify the client that a new link has been sent and that the previous link is no longer valid.
- The new link is also valid for 24 hours.
Client cannot see their data after logging in
- Verify the client's user account is linked to the correct client record (the
client_idon their Supabase Auth user profile must match). - Verify RLS policies are allowing the client to read their own data.
- Check Sentry for any errors occurring when the client accesses their dashboard.
Employee Onboarding
This guide is for admin staff responsible for adding new team members to the SONAN DIGITAL CRM. It covers the invitation process, role assignment, MFA setup, project assignment, and the corresponding offboarding procedure.
Overview
| Step | Action | Done by | Expected time |
|---|---|---|---|
| 1 | Create employee invite | Admin | 5 min |
| 2 | Set role | Admin | 2 min |
| 3 | Verify invite received | Admin (confirm with employee) | Up to 1 hour |
| 4 | Employee sets password and logs in | Employee | 10 min |
| 5 | Guide employee through MFA setup | Admin / Employee | 10โ15 min |
| 6 | Assign to relevant projects | Admin / Team Lead | 10 min |
| 7 | Brief on time logging expectations | Admin / Team Lead | 10 min |
| 8 | Provide documentation portal access | Admin | 5 min |
| 9 | Add to team communication channels | Admin | 5 min |
Step 1: Create Employee Invite
- Log in to the CRM admin panel.
- Navigate to Settings โ Team Management.
- Click Invite Team Member (or + Invite Employee).
- Enter the new employee's work email address.
- Proceed to Step 2 before sending โ the role must be set correctly.
The system defaults to creating accounts with the employee role. Verify the role is correct before the invitation is sent. An employee incorrectly created with client role will not be able to access the admin panel.
Step 2: Set Role
Select the appropriate role for the new team member:
| Role | Access Level | Use for |
|---|---|---|
employee |
Can log time, view assigned projects and tasks, access employee-facing modules | Most new hires โ developers, designers, project coordinators |
admin |
Full access to all CRM modules, including client data, invoices, proposals, settings | Senior staff, account managers, team leads, operations staff |
Important: The admin role grants access to all client financial data, contracts, and system settings. Only assign admin access where it is genuinely required.
Once the role is confirmed, click Send Invitation.
The system will: - Create a Supabase Auth user with the selected role. - Send an invitation email via Resend to the new employee's email address.
Step 3: Verify Invite Received
- Follow up with the new employee to confirm the invitation email arrived.
- Ask them to check their spam / junk folder if not received within 15 minutes.
- If the email was not delivered, check the Resend Dashboard for the send record and delivery status.
- If the email address was entered incorrectly, deactivate the incorrectly-created account (Settings โ Team โ deactivate) and send a new invitation with the correct email.
The invitation link is valid for 24 hours.
Step 4: Employee Sets Password and Logs In
The employee:
- Clicks the invitation link in the email.
- Sets a strong password (minimum 12 characters, mix of uppercase, lowercase, numbers, symbols recommended).
- Is redirected to the CRM admin panel on first successful login.
Confirm with the employee that they can access the dashboard and see the navigation appropriate to their role.
Step 5: Guide Employee Through MFA Setup
Multi-factor authentication (TOTP) is required for all staff accounts.
Have the employee complete MFA setup on their first login session:
- The employee navigates to Profile / Account Settings โ Security โ Enable Two-Factor Authentication.
- They will see a QR code.
- They open an authenticator app (Google Authenticator, Authy, or 1Password) and scan the QR code.
- They enter the 6-digit TOTP code to confirm setup.
- They are shown backup codes โ instruct them to save these codes securely (in a password manager, not in plain text or email). Backup codes are single-use recovery codes if they lose their authenticator device.
Do not complete the onboarding without confirming MFA is active. Admin accounts with access to client financial data and contracts must be protected by MFA. If an employee skips MFA setup, remind them that they are required to complete it and follow up within 24 hours.
If an employee loses access to their TOTP device: An admin can reset MFA for the user via Settings โ Team Management โ [User] โ Reset MFA. The employee will then complete MFA setup again on next login.
Step 6: Assign to Relevant Projects
- Navigate to Projects in the CRM admin panel.
- Open each project the new employee will be working on.
- Go to the project's Team or Members section.
- Add the employee as a team member.
- Confirm their role on the project (e.g., Developer, Designer, Project Manager).
Repeat for each active project the employee is joining.
For large teams, it may be more efficient to assign the employee to projects over the first week as their responsibilities become clear, rather than assigning all projects on day one.
Step 7: Brief on Time Logging Expectations
All employees are expected to log time accurately for client billing and project reporting. Cover the following during the briefing:
- How to log time: Projects โ select project โ Tasks โ select task โ Log Time (or Time Logs section).
- Required fields: hours, date, optional note.
- Logging frequency: Time should be logged daily or at least weekly โ not retrospectively at month end.
- Rounding policy: Agree on the team's standard (e.g., nearest 15 minutes).
- What counts as billable vs. non-billable time (if applicable).
- How to correct a time log: Logged time can be edited by the employee or an admin.
Step 8: Provide Documentation Portal Access
Share the documentation portal URL with the new employee:
- Send them the link to this documentation portal.
- Point them specifically to the Employee Guide section (if available), which covers:
- How to use the time logging module
- How to view and update assigned tasks
- How to submit project updates
- How to use the support / communication modules
If there is a team internal wiki or onboarding doc, share that link as well.
Step 9: Add to Team Communication Channels
Ensure the new employee is added to:
- [ ] Slack (or team's primary messaging tool) โ invite via the workspace admin panel.
- [ ] Relevant project channels in Slack.
- [ ] Google Workspace / Microsoft 365 group or team (if applicable).
- [ ] Team calendar (share relevant calendars, add to recurring stand-ups or team meetings).
- [ ] Any project management tools used alongside the CRM (Notion, Linear, Jira, etc.).
- [ ] GitHub organization / team (if applicable, for engineering staff).
Onboarding Checklist (Quick Reference)
EMPLOYEE ONBOARDING CHECKLIST
Employee Name: _________________ Start Date: __________
Role: __________________________ Onboarded by: ________
[ ] 1. Invite sent to: ________________________ (email)
[ ] 2. Role confirmed: employee / admin (circle one)
[ ] 3. Employee confirmed invite received
[ ] 4. Employee set password and successfully logged in
[ ] 5. MFA (TOTP) set up and verified
[ ] 6. Backup codes saved by employee (confirmed)
[ ] 7. Assigned to projects: _______________________________
[ ] 8. Time logging expectations discussed
[ ] 9. Documentation portal link shared
[10] Added to Slack and relevant channels
[11] Added to calendar / team meetings
Offboarding Checklist
When a team member leaves the organization, follow this checklist on their last day or immediately upon notice of departure:
Immediate actions (same day)
- [ ] Deactivate the CRM account โ Settings โ Team Management โ select the employee โ Deactivate Account. This immediately revokes their access to the CRM and all client data.
- [ ] Revoke Vercel access (if applicable) โ Vercel Dashboard โ Team Settings โ Members โ Remove.
- [ ] Revoke Supabase access (if applicable) โ Supabase Dashboard โ Project Settings โ Team โ Remove.
- [ ] Revoke GitHub access โ GitHub Organization โ People โ remove or change role.
- [ ] Revoke Sentry access โ Sentry โ Organization Settings โ Members โ Remove.
- [ ] Remove from Slack โ Slack workspace admin โ Deactivate account.
- [ ] Remove from Google Workspace / M365 (if applicable).
- [ ] Change any shared passwords the employee had access to (admin panel credentials, shared tools).
Before deactivation (if time allows)
- [ ] Reassign open tasks โ navigate to the employee's task list and reassign any open/in-progress tasks to another team member.
- [ ] Reassign as account manager โ search for clients where
assigned_manager_idis the departing employee and reassign to a new manager. - [ ] Audit time logs โ confirm all time logs up to the last working day are submitted and accurate. Time logs cannot easily be added by the employee after account deactivation.
- [ ] Transfer project ownership โ if the employee was a project lead, assign a new lead before deactivating.
Within one week
- [ ] Rotate any secrets the employee had access to โ if they had access to Vercel environment variables or were listed as a Stripe/Supabase admin, rotate the relevant secrets per the Secrets Management rotation procedure.
- [ ] Document the offboarding in the team log with the date, employee name, and confirmation that access was revoked.
CRM access to client financial data, contracts, and proposals must be revoked on the employee's last day โ not at the end of the week. If there is any concern about the circumstances of the departure, deactivate access immediately and handle data transfer tasks through an admin account.