Register Owner: CISO + General Counsel
Effective Date: June 13, 2026
Reviewed: Annually and after major incidents
Frameworks: SOC 2 CC7.3–CC7.5; ISO 27001 A.5.24–A.5.28. Visualizes the Incident Response Policy.
Effective Date: June 13, 2026
Reviewed: Annually and after major incidents
Frameworks: SOC 2 CC7.3–CC7.5; ISO 27001 A.5.24–A.5.28. Visualizes the Incident Response Policy.
Flow
Key points
- Severity drives response speed and escalation; P0/P1 trigger immediate executive escalation and an RCA.
- Breach determination is made by the CEO + General Counsel (final call: CEO); external notices are approved in writing by the GC and issued per the Customer Communications procedure and applicable statutory clocks.
- AI incidents additionally follow the AI Serious-Incident & Adverse-Impact Reporting Procedure (EU AI Act Art. 73).
- Closure requires a completed RCA (see the Incident RCA template) and corrective actions tracked via the Corrective Action Procedure.
Cross-references
- Incident Response Policy · Customer Communications · AI Serious-Incident Reporting
- Incident RCA template · Corrective Action
Version history
| Version | Date | Description | Author | Approved by |
|---|---|---|---|---|
| 1.0 | June 13, 2026 | Initial incident response flow diagram. | Cameron Wolfe | Ishan Jadhwani |