Incident Response Policy
Effective: February 28, 2026Version 1.0
Scope
This policy covers security incidents affecting the Ataraxia GRC platform, including unauthorized access, data breaches, service disruptions, and vulnerabilities.
Incident Classification
| Severity | Description | Response Time | Notification |
|---|---|---|---|
| Critical | Data breach, unauthorized access to customer data | Immediate | Within 24 hours |
| High | Service outage, security vulnerability exploited | Within 4 hours | Within 48 hours |
| Medium | Partial service degradation, potential vulnerability | Within 24 hours | Within 72 hours |
| Low | Minor issue, no customer data impact | Within 72 hours | As needed |
Response Process
- Detection — Automated monitoring, customer reports, or internal discovery
- Triage — Assess severity, scope, and impact within 1 hour of detection
- Containment — Isolate affected systems to prevent further impact
- Investigation — Determine root cause, scope of exposure, and affected parties
- Remediation — Fix the vulnerability or restore service
- Notification — Inform affected customers per the timeline above
- Post-Incident Review — Document lessons learned, update preventive measures
Customer Notification
For incidents affecting customer data, we provide:
- Description of the incident
- Data potentially affected
- Actions taken to contain and remediate
- Recommended actions for affected customers
- Point of contact for questions
Notifications are sent via email to organization owners and admins.
Reporting an Incident
If you suspect a security incident, contact security@ataraxiagrc.com immediately.