01Introduction
This Incident Response Plan (the "Plan") establishes the procedures to be followed in the event of security incidents and data breaches at Sekyr. The Plan is an integral part of Sekyr's overall security framework and aligns with its compliance obligations under the GDPR and other applicable data protection and security legislation.
The Plan defines clear responsibilities and processes for effectively mitigating and managing security incidents and data breaches, including the steps required to respond to and recover from events that may affect the confidentiality, integrity, or availability of Sekyr's data and systems.
02Scope
This Plan applies to all incidents affecting Sekyr's information, information systems, customer data, and product and service deliveries, regardless of format or location. It covers events affecting employees, consultants, subcontractors, and any other parties with access to Sekyr's or its customers' information.
03Severity classification
Incidents are classified by severity based on impact on the confidentiality, integrity, and availability of information and systems, as well as regulatory exposure. Severity determines the response cadence, escalation path, and notification obligations.
04Detection and reporting
Incidents may be detected through monitoring and alerting, employee reports, customer reports, or third-party notifications. Suspected incidents are reported to the Incident Response Team without undue delay so that triage and containment can begin.
05Response phases
Response follows a standard sequence of phases: containment to limit further impact, mitigation of the underlying cause, recovery to restore affected services, and post-incident review to capture lessons learned. Each phase has defined entry and exit criteria documented in supporting runbooks.
06External notification
Where an incident involves personal data, Sekyr notifies the relevant supervisory authority within 72 hours of becoming aware of the breach, in accordance with Article 33 of the GDPR. Affected customers and data subjects are notified in line with contractual commitments and applicable law.
07Post-incident review
Each incident is followed by a structured review. Findings, root causes, and corrective actions feed into Sekyr's continuous improvement cycle so that controls, monitoring, and processes are updated to prevent recurrence and to strengthen overall resilience.
08Roles and responsibilities
Responsibility for executing this Plan is shared across the organisation. Specific responsibilities are as follows:
- Executive Team
- Owns this Plan, approves material changes, and ensures that adequate resources are allocated to incident preparedness and response.
- Legal & Compliance
- Leads and coordinates privacy protection at Sekyr and holds overall responsibility for compliance with applicable legislation, including the GDPR. Supports the organisation on matters relating to this area.
- Security Team
- Holds primary responsibility for Sekyr's security work and leads the development, maintenance, and updating of security measures and processes.
- Incident Response Team
- Responsible for implementing this Plan. The team comprises representatives from Engineering, Legal & Compliance, Executive Team, and relevant business units, and coordinates and executes incident response activities promptly and efficiently.
- All managers
- Responsible for ensuring compliance with this Plan and with the specific processes and standards established to deliver on information security and data protection.
- All employees and other covered parties
- Responsible for acting in accordance with this Plan and its supporting routines, and for reporting suspected incidents without undue delay.
09Review
This Plan shall be reviewed at least annually and updated as needed to reflect changes in the regulatory environment, the threat landscape, or the organisation's operations.