Incident response
Reviewed 26 March 2026
Incident response programme
Severity tiers, SLAs, and how we communicate incidents to customers.
Download PDF
Owner: Head of Security
Our incident response process follows the NIST SP 800-61r2 lifecycle. Incidents are triaged into four severity tiers with defined response and customer-communication SLAs.
Customers are notified of confirmed incidents that affect their data within 72 hours, in line with UK GDPR Article 33.