Legal

Incident Response Plan

Last updated: 8 April 2026

This plan describes how Impacturi (operated by Clickonic Ltd) responds to security incidents, including personal data breaches. The goal is to contain the impact, notify affected parties, and prevent recurrence.

1. What counts as an incident

A security incident includes, but is not limited to:

  • Unauthorised access to the database or any customer data
  • A vulnerability that has been or could be exploited
  • Accidental exposure of personal data (e.g. data visible to the wrong user)
  • Loss or theft of credentials, API keys, or access tokens
  • A ransomware attack, denial-of-service attack, or other malicious activity
  • A sub-processor (Supabase, Vercel, Stripe, OpenAI) reporting a breach that affects our data

2. Incident response team

As a small organisation, our incident response is led by:

Incident Lead: Dermot Dennehy (Founder, Clickonic Ltd)

Email: dermot@clickonic.co

As the team grows, additional roles (technical lead, communications lead) will be assigned and this plan will be updated.

3. Response process

Phase 1: Detection and assessment (0 to 2 hours)

  • Confirm whether a genuine incident has occurred
  • Assess the severity: what data is affected, how many customers, is the breach ongoing?
  • Classify as: Critical (active data exposure or breach), High (vulnerability exploited but no confirmed data loss), Medium (potential vulnerability identified), or Low (false alarm or minor issue)

Phase 2: Containment (0 to 4 hours for Critical/High)

  • Isolate the affected system or revoke compromised credentials immediately
  • If a database breach: rotate all database credentials and API keys
  • If a sub-processor breach: follow the sub-processor's guidance and assess our exposure
  • If needed: take the platform offline temporarily to prevent further exposure

Phase 3: Notification (within 72 hours)

If the incident involves a personal data breach:

  • ICO notification: Report to the Information Commissioner's Office within 72 hours if the breach is likely to result in a risk to individuals' rights and freedoms
  • Customer notification: Notify all affected customers by email within 72 hours, explaining: what happened, what data was affected, what we have done, what they should do, and how to contact us
  • Data subject notification: If the breach is likely to result in a high risk to individuals, notify affected data subjects directly (in coordination with the affected customer, who is the data controller)

Phase 4: Recovery (1 to 7 days)

  • Restore normal service once the vulnerability is patched or the threat is neutralised
  • Verify that the fix is effective and no further exposure exists
  • Monitor closely for any signs of recurrence

Phase 5: Review (within 14 days)

  • Conduct a post-incident review to understand root cause
  • Document what happened, the timeline, decisions made, and lessons learned
  • Update security measures, policies, and this plan as needed
  • Share a summary with affected customers (without exposing sensitive technical detail)

4. Record keeping

All incidents (including false alarms) are logged with: date, description, classification, actions taken, outcome, and follow-up. This log is retained for a minimum of 3 years and is available to customers on request as part of audit rights under our Data Processing Agreement.

5. Reporting a security concern

If you believe you have found a security vulnerability in the Impacturi platform, or if you suspect your data has been compromised, please contact us immediately:

Dermot Dennehy
Clickonic Ltd
dermot@clickonic.co

We take all reports seriously and will respond within 24 hours.

6. Review schedule

This plan is reviewed at least annually, and after every incident (real or false alarm), to ensure it remains effective and up to date.

This plan is governed by the laws of England and Wales. It supplements our Data Processing Agreement and Data Security Policy.