Incident Response and Breach Notification Policy

This policy sets out how Vortex IQ detects, responds to, contains and learns from security incidents, and how we notify affected customers and regulators within defined timeframes.

1. Definition
  • Security incident: any event that compromises, or may compromise, the confidentiality, integrity or availability of Vortex IQ systems or customer data.
  • Personal data breach: a security incident leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data (UK GDPR).

2. Response team and roles

  • An Incident Lead coordinates the response.
  • Engineering performs containment, eradication and recovery.
  • Our privacy owner assesses notification obligations.
  • Executive management owns customer and external communications.

3. Severity levels

  • Critical: confirmed breach of customer data, or major outage. Immediate response.
  • High: likely breach or significant degradation.
  • Medium / Low: contained or limited-impact events.
4. Response phases
  • Detect and report. Staff and monitoring report suspected incidents without delay.
  • Triage. The Incident Lead assesses severity and scope and opens an incident record.
  • Contain. Limit impact: isolate systems, disable affected capabilities, revert changes via rollback where relevant.
  • Eradicate. Remove the root cause.
  • Recover. Restore service and verify integrity, using the Disaster Recovery Plan where needed.
  • Post-incident review. Document root cause, timeline and corrective actions promptly after resolution.
5. Breach notification

Where a personal data breach affecting customer data is confirmed, Vortex IQ will notify the affected customer without undue delay and within 72 hours of confirming the breach. Notification will include, as far as known, the nature of the breach, the data and individuals affected, likely consequences, and the measures taken or proposed.


As a processor, Vortex IQ supports customers (as controllers) in meeting their own regulatory notification duties. Where Vortex IQ is the controller, it will notify the ICO and data subjects as required by UK GDPR.

6. Evidence and communications

Logs and evidence are preserved to support investigation and any regulatory or contractual requirement. Customer communications are owned by executive management; the security contact and, where relevant, the status page (monitor.vortexiq.ai) keep customers informed.

7. Testing

The plan is tested through tabletop or simulation exercises and updated based on findings.

👋 Chat with us!
WhatsApp us