Incident Response Policy

Last Updated: March 2, 2026

This Incident Response Policy ("Policy") establishes the required procedures and responsibilities for identifying, reporting, analyzing, containing, mitigating, documenting, and resolving security incidents involving CORPIUS systems and data.

This IRP is critical for ensuring compliance with U.S. regulatory requirements, state-level data-breach statutes, and international standards (GDPR, UK GDPR, CCPA/CPRA).

1. Purpose

The purpose of this Incident Response Policy is to:

  • Protect CORPIUS systems, infrastructure, and client data from security threats
  • Ensure a fast, structured response to security events
  • Reduce risk and potential financial, legal, and operational damage
  • Establish accountability, documentation, and forensic accuracy
  • Comply with U.S. and international data-protection regulations

This policy applies to all employees, contractors, consultants, and authorized users.

2. Definitions

2.1 Security Incident

Any event — confirmed or suspected — that threatens the confidentiality, integrity, availability, authenticity, or accuracy of CORPIUS systems, networks, data, or client information.

2.2 Examples of Incidents

  • Unauthorized access attempts or compromised credentials
  • Suspicious logins or abnormal behavior
  • Malware, phishing, ransomware
  • Data exfiltration or data leak
  • Loss or theft of devices
  • Corrupted corporate/tax documents
  • Attempts to access information of other clients
  • System outages affecting document uploads
  • Third-party vendor breaches
  • Fraudulent or suspicious client uploads
  • Abuse of AI or automated tools
  • Failed or unexpected changes in state or IRS filings

3. Incident Response Team (IRT)

CORPIUS maintains an internal Incident Response Team responsible for all IRP procedures.

3.1 Roles and Responsibilities

Incident Response Lead (IRL)

  • Coordinates all incident response actions
  • Authorizes escalation and containment steps
  • Approves external notifications and regulatory filings

Security Operations

  • Detects, monitors, and investigates technical aspects of incidents
  • Implements containment and remediation measures
  • Preserves forensic evidence and maintains incident logs

Legal & Compliance

  • Assesses regulatory notification obligations (GDPR, CCPA, state breach laws)
  • Coordinates with external legal counsel when required
  • Manages documentation for regulatory and litigation purposes

Communications

  • Manages internal and external communications during an incident
  • Prepares client and regulatory notifications
  • Handles media and public relations if necessary

4. Incident Classification

SeverityDescriptionResponse Time
CriticalActive breach, data exfiltration, ransomware, major system compromiseImmediate (within 1 hour)
HighUnauthorized access, compromised credentials, suspected data exposureWithin 4 hours
MediumSuspicious activity, policy violations, isolated security eventsWithin 24 hours
LowMinor anomalies, failed login attempts, non-critical system alertsWithin 72 hours

5. Incident Response Phases

Phase 1: Detection & Identification

  • Continuous monitoring systems detect anomalies and potential incidents
  • Employees report suspected incidents to the IRT immediately
  • Initial assessment to classify severity and scope
  • Document time of detection, source, and initial indicators

Phase 2: Containment

  • Isolate affected systems to prevent further damage or data loss
  • Revoke compromised credentials and access tokens
  • Block malicious IP addresses or traffic sources
  • Preserve all evidence and logs for forensic analysis
  • Notify IRT leadership and activate full response procedures

Phase 3: Eradication

  • Identify and eliminate root cause of the incident
  • Remove malware, unauthorized access points, or compromised components
  • Patch vulnerabilities and update security controls
  • Perform integrity checks on affected systems and data

Phase 4: Recovery

  • Restore affected systems from secure, verified backups
  • Test restored systems before returning to production
  • Monitor for signs of re-infection or recurring issues
  • Verify data integrity and service functionality

Phase 5: Post-Incident Review

  • Document full timeline, actions taken, and outcomes
  • Identify gaps in security controls and update procedures
  • Conduct lessons-learned review with all stakeholders
  • Update this IRP and security policies as needed

6. Notification & Regulatory Obligations

6.1 Client Notification

If a breach involves client personal data, affected clients will be notified as required by law, including the nature of the breach, data affected, steps taken, and recommended client actions.

6.2 Regulatory Notification

  • GDPR/UK GDPR: Data protection authorities notified within 72 hours of discovery
  • CCPA/CPRA: Compliance with California data breach notification requirements
  • State breach laws: Notification within legally mandated timeframes for all applicable U.S. states
  • IRS: Notification of incidents involving tax data per applicable IRS guidance

7. Evidence Preservation

All incident-related evidence must be preserved, including:

  • System logs, access logs, and audit trails
  • Network traffic captures and firewall logs
  • Email records and communication logs related to the incident
  • Forensic images of affected systems
  • Chain of custody documentation for all evidence

Evidence must not be altered, deleted, or modified during or after an investigation.

8. Training & Testing

To ensure effective incident response, CORPIUS:

  • Conducts regular IRP training for all relevant staff
  • Performs tabletop exercises simulating various incident scenarios
  • Tests backup restoration and recovery procedures quarterly
  • Reviews and updates this Policy at least annually

9. Reporting a Security Concern

If you discover or suspect a security vulnerability or incident related to CORPIUS systems, please report it immediately:

CORPIUS — Security Incident Reporting

Email: [email protected]

Website: https://corpius.net

For critical security incidents, please mark your email subject as "SECURITY INCIDENT — URGENT"

We take all security reports seriously and will respond promptly. We do not take legal action against good-faith security researchers who follow responsible disclosure practices.

10. Policy Review & Updates

This Incident Response Policy is reviewed and updated at least annually or following any significant incident, change in regulatory requirements, or major update to CORPIUS systems or infrastructure. Updates become effective immediately upon posting.