Incident Response & Breach Notification Policy
This policy governs how Vibble identifies, contains, analyzes, and discloses security breaches in compliance with GDPR, CCPA, DSA, OSA, and global incident requirements.
1. Scope
- Data breaches
- Unauthorized access incidents
- Credential or token compromise
- Insider misuse
- Malware & infrastructure attacks
2. Response Workflow
- Detection & alerting
- Initial triage & severity classification
- Containment of affected systems
- Forensic analysis
- Mitigation & recovery
- User and regulator notification
- Post-incident review and hardening
3. Legal Notification Requirements
- GDPR: notify regulators within 72 hours
- CCPA: notify affected residents without unreasonable delay
- DSA/OFCOM: risk reporting where applicable
- Law enforcement notification for criminal events
4. User Notifications
Users receive notification if the breach is likely to cause:
- Identity risk
- Financial harm
- Unauthorized account access
- Exposure of sensitive data
5. Contacts
Incident Response: ir@vibble.com
Security Office: security@vibble.com
Nexa-Group IR: incidents@nexa-group.org
