Skip to main content
Primary Logo

Security Incident Response Policy

Effective Date: 8 May 2026 · Version 1.0

This Policy sets out how Vyete Technologies Ltd ("Vyete") detects, manages, investigates, and communicates security incidents affecting the platform and its participants. It reflects Vyete's obligations under applicable data protection law and its commitment to transparency.

1. Purpose and Scope

1.1 Purpose

This Policy ensures that:

  • Security incidents are detected and contained as quickly as possible.
  • The impact on platform participants is minimised.
  • Legal and regulatory notification obligations are met.
  • Incidents are properly documented and lessons are incorporated into future security improvements.

1.2 Scope

This Policy applies to security incidents affecting:

  • Vyete's platform infrastructure, applications, and systems.
  • Personal data processed by Vyete.
  • Any third-party system operated on Vyete's behalf.

It covers incidents that are confirmed and suspected — Vyete treats suspicious events as potential incidents until a contrary assessment is made.

2. Definitions

| Term | Meaning | |---|---| | Security Incident | Any event that results in, or may result in, unauthorised access to, disclosure of, alteration, loss, or destruction of data or systems | | Personal Data Breach | A security incident resulting in the accidental or unlawful access to, destruction, loss, alteration, or disclosure of personal data | | Severity Level | A classification of the incident's impact and urgency | | Incident Responder | A member of Vyete's designated incident response team | | Affected Parties | Users, shops, brands, or couriers whose data or operations are affected |

3. Severity Classification

All security incidents are classified on discovery using the following framework:

| Level | Name | Criteria | Example | |---|---|---|---| | P1 | Critical | Active exploitation; mass data exfiltration; platform-wide service impact | Active attacker in production database; ransomware deployment | | P2 | High | Significant data exposure; major feature compromise; targeted exploitation | Account takeover of multiple users; payment data exposure for subset of users | | P3 | Medium | Limited data exposure; vulnerability exploited without mass impact; insider threat indicator | Single account compromised; low-volume credential stuffing | | P4 | Low | Near-miss; suspicious activity without confirmed breach; minor policy violation | Failed brute-force attempt; unusual login geo-anomaly without compromise |

Classification may be upgraded as investigation reveals greater impact.

4. Detection

Vyete detects security incidents through multiple channels:

  • Automated security monitoring and SIEM alerting.
  • Anomaly detection on API and application traffic.
  • Reports from platform participants (users, shops, brands, couriers).
  • Reports from security researchers under the Vulnerability Disclosure Policy.
  • Intelligence feeds and third-party threat notifications.
  • Internal employee observation and reporting.

Anyone who suspects a security incident — whether Vyete employee, contractor, or platform participant — must report it immediately to [email protected].

5. Response Procedures

5.1 Initial Response

On receipt of an incident alert or report:

  1. Assign an Incident Lead within 30 minutes (P1/P2) or 4 hours (P3/P4).
  2. Log the incident in Vyete's incident tracking system with timestamp, source, and initial assessment.
  3. Classify the severity based on available information.
  4. Convene the Incident Response Team for P1 and P2 incidents.
  5. Notify the DPO and legal team if the incident may constitute a Personal Data Breach.

5.2 Containment

The Incident Response Team's immediate priority is containment. Containment actions may include:

  • Isolating affected systems from the network.
  • Revoking compromised credentials or access tokens.
  • Blocking malicious IP addresses or traffic patterns.
  • Disabling affected features or API endpoints.
  • Engaging third-party incident response specialists.

Containment may require taking services offline. The decision to take platform services offline is made by the Incident Lead and requires approval from a senior technical leader (P1/P2) or the Incident Lead alone (P3/P4). Planned downtime arising from incident response is excluded from SLA calculations.

5.3 Investigation

Following containment, the team investigates to determine:

  • The root cause of the incident.
  • The timeline of events from initial compromise to detection.
  • The scope of data or systems affected.
  • Whether any data was exfiltrated, destroyed, or altered.
  • Whether the incident is still ongoing.

Investigation findings are documented in a written Incident Report.

5.4 Recovery

Recovery involves restoring affected systems to normal operation:

  • Validate that vulnerabilities exploited in the incident have been remediated before restoring services.
  • Restore data from clean backups where necessary.
  • Conduct post-recovery testing before returning systems to full production.
  • Monitor closely for recurrence in the 72 hours following recovery.

5.5 Post-Incident Review

Within 14 calendar days of incident closure, the Incident Response Team conducts a post-incident review to:

  • Document the full timeline and impact.
  • Identify root causes and contributing factors.
  • Define remediation actions with owners and deadlines.
  • Assess whether security controls, processes, or training require updating.

Post-incident review findings are classified confidential and retained for at least 3 years.

6. Notification Obligations

6.1 Regulatory Notification

Where an incident constitutes a Personal Data Breach, Vyete will notify the relevant data protection supervisory authority within 72 hours of becoming aware of the breach, where the breach is likely to result in a risk to the rights and freedoms of individuals. Where notification is not made within 72 hours, a reasoned explanation will be provided.

The notification will include, where known:

  • Nature of the breach, categories and approximate number of Data Subjects affected.
  • Name and contact details of the Data Protection Officer.
  • Likely consequences of the breach.
  • Measures taken or proposed to address it.

6.2 Notification to Affected Parties

Where a Personal Data Breach is likely to result in a high risk to the rights and freedoms of individuals, Vyete will notify affected users, shops, brands, or couriers directly, without undue delay. Notification will:

  • Be written in clear, plain language.
  • Describe the nature of the incident and data affected.
  • Provide the DPO's contact details.
  • Describe the likely consequences.
  • State the steps taken and steps the individual can take to protect themselves.

Vyete will not delay notification where there is a high risk of harm to individuals, even where the full facts are not yet established.

6.3 Notification to Business Partners

Where a security incident affects personal data processed on behalf of a shop or brand partner under the Data Processing Agreement, Vyete will notify the relevant Customer within 72 hours.

6.4 Public Communication

Material incidents affecting the availability or integrity of the platform will be communicated via status.vyete.com. Vyete will communicate what it knows, acknowledge uncertainty where it exists, and provide updates as the situation develops.

7. Evidence Preservation

All evidence related to a security incident (logs, forensic images, communications) must be preserved intact from the point of detection. No system affected by a P1 or P2 incident may be wiped or rebuilt without the Incident Lead's express approval. Evidence is retained for a minimum of 3 years following incident closure.

8. Roles and Responsibilities

| Role | Responsibility | |---|---| | Incident Lead | Coordinates the response, makes containment decisions, owns communication | | DPO | Assesses breach notification obligations, maintains regulator relationships | | Legal Counsel | Advises on notification requirements, liability, and evidence preservation | | Communications Lead | Manages internal and external communications | | Technical Response Team | Investigates, contains, and remediates the incident | | Senior Leadership | Authorises major response decisions; available for P1 escalation at all hours |

9. Testing and Preparedness

Vyete tests its incident response capability through:

  • Tabletop exercises conducted at least annually.
  • Simulated breach scenarios for the incident response team.
  • Review and update of this Policy following major exercises or real incidents.

10. Contact

To report a security incident or suspected breach: [email protected] (monitored 24/7)

Data Protection Officer: [email protected]