Incident Response Plan
March 2026 · Owner: Vilmer Frost, CEO & DPO · Review: Annual
1. Scope
This plan covers the identification, containment, investigation, and resolution of security incidents, data breaches, system outages, and data integrity events affecting the BatchCortex Platform and its customers.
2. Incident Classification
| Severity | Definition | Response Time | Example |
|---|---|---|---|
| P1 — Critical | Data breach involving personal data; complete system outage; audit trail integrity compromised | Immediate (within 1 hour) | Database breach, complete platform downtime, tampered audit records |
| P2 — High | Partial service degradation affecting GMP functions; escalation system failure; AI model producing incorrect outputs | Within 4 hours | Escalation emails not sending, anomaly detection false negatives, report generation failure |
| P3 — Medium | Non-GMP feature degradation; performance issues; minor configuration errors | Within 24 hours | Dashboard loading slowly, non-critical UI bugs, notification delays |
| P4 — Low | Cosmetic issues, documentation updates, minor improvements | Within 5 business days | Typos, UI polish, non-urgent feature requests |
3. Incident Response Procedures
3.1 Data Breach (GDPR Article 33/34)
Detection → 72 hours maximum to supervisory authority notification
| Step | Action | Timeframe | Owner |
|---|---|---|---|
| 1 | Detect and confirm breach | Immediate | Automated monitoring + manual review |
| 2 | Contain — isolate affected systems, revoke compromised credentials | Within 1 hour | Vilmer Frost |
| 3 | Assess scope — what data, how many subjects, which customers | Within 4 hours | Vilmer Frost |
| 4 | Notify affected customers | Within 24 hours | Vilmer Frost |
| 5 | Notify IMY (Swedish supervisory authority) | Within 72 hours | Vilmer Frost |
| 6 | Notify affected data subjects if high risk | Without undue delay | Vilmer Frost |
| 7 | Root cause analysis and remediation | Within 7 days | Vilmer Frost |
| 8 | Post-incident report to affected customers | Within 14 days | Vilmer Frost |
Backup contact: To be designated — see Business Continuity Plan BC-BCP-001.
3.2 System Outage (GMP Impact)
| Step | Action | Timeframe |
|---|---|---|
| 1 | Confirm outage via monitoring (Sentry, Vercel status) | Automated |
| 2 | Notify affected customers via email | Within 1 hour |
| 3 | Post status update to status page | Within 1 hour |
| 4 | Implement fix or failover | ASAP |
| 5 | Confirm resolution and notify customers | Upon resolution |
| 6 | Post-incident report | Within 48 hours |
Edge agents are designed with local SQLite store-and-forward buffering. During platform outages, sensor data is not lost — it is buffered locally and synchronized when connectivity is restored.
3.3 Audit Trail Integrity Event
Any suspected tampering, corruption, or gap in the audit trail is treated as P1:
| Step | Action | Timeframe |
|---|---|---|
| 1 | Halt affected batch processing | Immediate |
| 2 | Verify SHA-256 hash chain integrity | Within 1 hour |
| 3 | Notify affected customer(s) | Within 2 hours |
| 4 | Forensic investigation — database logs, access logs, RLS audit | Within 24 hours |
| 5 | Report to customer's QA with full timeline | Within 48 hours |
| 6 | Implement corrective and preventive action (CAPA) | Within 14 days |
3.4 AI Model Failure
If the anomaly detection system produces confirmed false negatives (missed real anomalies) or systematic false positives:
| Step | Action | Timeframe |
|---|---|---|
| 1 | Confirm model failure via manual review of flagged events | Within 4 hours |
| 2 | Notify affected customer(s) with details | Within 8 hours |
| 3 | Switch affected processes to heightened manual monitoring | Immediate |
| 4 | Root cause analysis (data drift, model degradation, configuration error) | Within 72 hours |
| 5 | Model retraining or rollback to last validated version | Within 7 days |
| 6 | Re-validation and deployment | Per GAMP 5 change control |
4. Communication
- All incident communications to customers are sent from vilmer@batchcortex.com
- Critical incidents (P1) include phone notification to customer's designated contact
- Post-incident reports are stored as GMP records and available for customer audit
5. Record Keeping
All incidents are logged with: date/time of detection, classification, timeline of actions taken, root cause (when identified), corrective actions, and sign-off. Records are retained for 15 years per GMP requirements.
BatchCortex AB (i.o.) · Stockholm, Sweden · vilmer@batchcortex.com