Incident Response Policy

Last updated: March 11, 2025

Purpose

ItemIQ ("we," "our," or "us") maintains this Incident Response Policy to define roles, responsibilities, and procedures for detecting, responding to, and recovering from security and privacy incidents. This policy ensures timely reporting and communication with stakeholders.

Scope

This policy applies to security incidents (e.g., unauthorized access, data breaches, malware, denial of service) and privacy incidents (e.g., unauthorized disclosure or loss of personal data) affecting our systems, applications, or data.

Roles and Responsibilities

Incident Response Lead

• Owns the incident response process and coordinates response activities
• Makes escalation decisions and communicates with leadership
• Ensures documentation and post-incident review

Technical Response Team

• Investigates and contains incidents
• Implements remediation and recovery measures
• Preserves evidence for forensic analysis when appropriate

Communications / Privacy Contact

• Manages internal and external communications
• Coordinates regulatory and user notifications when required
• Maintains records of notifications and communications

Leadership

• Receives escalation for significant incidents
• Approves major response actions and external communications
• Allocates resources for incident response

Incident Reporting Channels

All personnel and third parties must report suspected or confirmed incidents through the following channels:

• Primary: security@itemiq.com
• Alternative: incidents@itemiq.com
• Support (for user-reported issues): support@itemiq.ai

Reports should include: description of the incident, date/time observed, systems or data affected, and contact information of the reporter.

Communication Channels

Internal Communication

• Incident response team communicates via designated secure channels
• Status updates are shared with leadership as defined by severity
• Documentation is maintained in a centralized incident log

External Communication

• Affected users are notified when personal data may have been compromised, in accordance with applicable laws
• Regulatory authorities are notified when required (e.g., GDPR, CCPA)
• Partners and third parties are informed when incidents affect shared systems or data

Incident Response Phases

1. Detection & Reporting: Identify and report the incident
2. Assessment: Classify severity and scope
3. Containment: Limit impact and prevent further damage
4. Eradication: Remove the cause of the incident
5. Recovery: Restore systems and validate operations
6. Post-Incident Review: Document lessons learned and improve processes

Severity Classification

• Critical: Data breach, widespread system compromise, or significant service disruption
• High: Limited data exposure, partial system compromise
• Medium: Potential impact, requires investigation
• Low: Minor issues, no immediate impact

Related Documents

• Access Control Policy
• Data Classification Policy
• Vulnerability Management Procedure
• Privacy Policy

Contact