Notification Service — Service Risk Register

Status: populated Owner: Platform Engineering Last updated: 2026-04-18

ID	Risk	Likelihood	Impact	Mitigation	Owner
R-NOTIF-01	CRITICAL system alert not delivered (SendGrid down + SMS fails)	Low	High	Dual channel; retry 3 times; NotifSystemAlertFailed fires → ops escalate to PagerDuty manually	SRE
R-NOTIF-02	Duplicate notification on NATS redelivery	Medium	Medium	source_event_id dedup in notification_log; integration test	Engineering
R-NOTIF-03	Template render error causes FAILED notification	Low	Medium	variablesSchema validation at save time; CI Mjml lint; plain-text fallback for email	Engineering
R-NOTIF-04	PII (email/phone) leaked in logs or error messages	Medium	High	Pino transport masking; recipient_address masked on write; CI log scanner	Security
R-NOTIF-05	Templates not ready or not approved at launch	Medium	Medium	Phase 0 seeding with template review gate before Phase 1 activation	Product + Engineering
R-NOTIF-06	SendGrid sender identity not verified (emails in spam)	Medium	Medium	SPF/DKIM/DMARC setup is a pre-launch gate; verified domain in Vault config	SRE
R-NOTIF-07	Invoice email link expired before customer opens	Low	Low	Presigned URL TTL set to 7 days in invoice template; email sent within minutes of invoice FINALIZED	Engineering
R-NOTIF-08	SYSTEM_SECURITY opt-out bypass is disabled in preference check	Low	High	Unit test explicitly verifies bypass; PreferenceResolver code review gate	Engineering
R-NOTIF-09	auth-service outage blocks all recipient lookups	Medium	Medium	NATS NAK; events replay when auth-service recovers; platform.admin list cached 5 min	Engineering
R-NOTIF-10	SMS notification creates user confusion (unexpected sender)	Low	Low	Consistent sender ID Ghasi; customer comms on platform launch	Product
R-NOTIF-11	Template XSS via admin-dashboard Handlebars injection	Low	High	Templates managed only by platform.admin; Handlebars HTML escaping by default; template preview uses isolated renderer	Security