Legal

Incident Response Plan

Last updated: 17 June 2026

This plan describes how Impacturi (operated by Clickonic Ltd) responds to security incidents, including personal data breaches. The goal is to contain the impact, notify affected parties, and prevent recurrence.

1. What counts as an incident

A security incident includes, but is not limited to:

  • Unauthorised access to the database or any customer data
  • A vulnerability that has been or could be exploited
  • Accidental exposure of personal data (e.g. data visible to the wrong user)
  • Loss or theft of credentials, API keys, or access tokens
  • A ransomware attack, denial-of-service attack, or other malicious activity
  • A sub-processor (Supabase, Vercel, Stripe, OpenAI) reporting a breach that affects our data

2. Incident response team

As a small organisation, our incident response is led by:

Incident Lead: Dermot Dennehy (Founder, Clickonic Ltd)

Email: security@impacturi.com

Deputy Incident Lead: Role in appointment. During any period when the Incident Lead is unavailable, escalate immediately to security@impacturi.com.

For urgent incidents outside business hours, email security@impacturi.com with the subject line URGENT SECURITY INCIDENT. As the team grows, additional roles (technical lead, communications lead) will be assigned and this plan will be updated.

3. Response process

Phase 1: Detection and assessment (0 to 2 hours)

  • Confirm whether a genuine incident has occurred
  • Assess the severity: what data is affected, how many customers, is the breach ongoing?
  • Classify as: Critical (active data exposure or breach), High (vulnerability exploited but no confirmed data loss), Medium (potential vulnerability identified), or Low (false alarm or minor issue)

Phase 2: Containment (0 to 4 hours for Critical/High)

  • Isolate the affected system or revoke compromised credentials immediately
  • If a database breach: rotate all database credentials and API keys
  • If a sub-processor breach: follow the sub-processor's guidance and assess our exposure
  • If needed: take the platform offline temporarily to prevent further exposure

Phase 3: Notification (within 24 hours of discovery)

If the incident involves a personal data breach, the following obligations apply:

  • Clickonic's obligation (Processor): Clickonic will notify the affected charity (Controller) within 24 hours of discovering a breach. This notification will explain what happened, what data is affected, likely consequences, and measures taken or proposed.
  • Charity's obligation (Controller): The charity (as the data controller) is then responsible for assessing whether the breach requires notification to the Information Commissioner's Office (ICO) within the 72-hour statutory window under UK GDPR Article 33. Clickonic will provide all information reasonably required to assist with this assessment.
  • Data subject notification: If the breach is likely to result in a high risk to individuals, the charity (as Controller) is responsible for notifying affected data subjects. Clickonic will co-operate fully in this process.

Phase 4: Recovery (1 to 7 days)

  • Restore normal service once the vulnerability is patched or the threat is neutralised
  • Verify that the fix is effective and no further exposure exists
  • Monitor closely for any signs of recurrence

Phase 5: Review (within 14 days)

  • Conduct a post-incident review to understand root cause
  • Document what happened, the timeline, decisions made, and lessons learned
  • Update security measures, policies, and this plan as needed
  • Share a summary with affected customers (without exposing sensitive technical detail)

4. Record keeping

All incidents (including false alarms) are logged with: date, description, classification, actions taken, outcome, and follow-up. This log is retained for a minimum of 3 years and is available to customers on request as part of audit rights under our Data Processing Agreement.

5. Reporting a security concern

If you believe you have found a security vulnerability in the Impacturi platform, or if you suspect your data has been compromised, please contact us immediately:

Security Team, Clickonic Ltd
security@impacturi.com

We take all reports seriously and will respond within 24 hours.

6. Review schedule

This plan is reviewed at least annually, and after every incident (real or false alarm), to ensure it remains effective and up to date.

This plan is governed by the laws of England and Wales. It supplements our Data Processing Agreement and Data Security Policy.