Skip to content

Appcircle Incident Response Plan

Effective date: 2026-02-05 Last reviewed: 2026-02-05 Policy owner: Engineering Management (Security Program Owner)

Purpose

This policy defines Appcircle's approach to detecting, responding to, and recovering from security incidents and operational disruptions. It establishes the steps, roles, and communication requirements to ensure incidents are handled in a timely and effective manner, minimising harm to customers, operations, and data.

This plan operates alongside the Business Continuity and Disaster Recovery Policy, which governs service-level recovery objectives and continuity of operations for major disruptions.

Scope

This policy applies to:

  • All Appcircle-operated systems, services, and infrastructure.
  • All personnel with access to Appcircle systems or data.
  • Third parties that process Appcircle or customer data, where contractually applicable.

Key definitions

  • Security incident: Any event that compromises or threatens to compromise the confidentiality, integrity, or availability of Appcircle systems or data.
  • Data breach: Unauthorised access, disclosure, loss, or misuse of sensitive data processed or stored by Appcircle.
  • Major incident: An incident requiring mobilisation of the Emergency Response Team and potentially triggering the Business Continuity Plan.

Incident categories

Appcircle's incident response covers the following major categories:

  • Data breach: Unauthorised access to, disclosure of, or loss of sensitive data — whether caused by external attack, internal misuse, or accidental exposure.
  • Security breach: Unauthorised access attempts that materially threaten or successfully compromise system security controls.
  • Service outage: Unavailability of core systems or critical service functions affecting customers, caused by infrastructure failure, human error, third-party disruption, or security events.

Incident response lifecycle

Communications to relevant stakeholders are considered at all stages of the response.

1. Preparation

Appcircle maintains documented response plans, defined team roles and responsibilities, and appropriate access and tooling to enable effective response. Incident response plans are tested at least annually to verify viability and build organisational readiness.

2. Identification and classification

Incidents are identified through monitoring and alerting, internal reporting, third-party notification, or customer reports. Each incident is assessed for severity based on:

  • The type and sensitivity of data involved.
  • The number of users or systems affected.
  • The extent of ongoing risk or escalation potential.
  • Potential impact on Appcircle's reputation and customer relationships.

High-severity incidents may proceed directly to containment without delay.

3. Containment

Containment actions are taken to limit the impact of the incident and prevent escalation. Examples include:

  • Removing or restricting access to exposed data.
  • Isolating or shutting down compromised systems to prevent further breach activity.
  • Applying temporary access restrictions or configuration changes.

Containment decisions consider whether action may inadvertently worsen the incident or destroy forensic evidence.

4. Eradication

Eradication addresses the root cause of the incident — fixing the exploited vulnerability, removing malware, revoking compromised credentials, or confirming that an exposed data set has been secured. Adequate testing and verification are performed to confirm effective eradication.

Key facts are documented during this phase, including: time, date, duration, and location of the event; data types and systems involved; timeline of discovery; suspected or confirmed cause.

5. Recovery

Recovery restores all affected systems, processes, and services to full operation after confirming that threats have been addressed. Post-recovery monitoring is maintained to detect any recurrence or residual indicators of compromise.

6. Closure and post-incident review

The incident is formally closed once all required actions are complete and stakeholders have confirmed no further response is needed. A post-incident review is conducted to identify root causes, assess whether monitoring and detection coverage was adequate, and implement improvements to reduce the likelihood of recurrence.

Stakeholder communications

Relevant parties are notified based on the severity and nature of the incident. The Emergency Response Team determines the timing, scope, and content of communications. Communication decisions consider:

  • Whether disclosure could worsen the incident or expose Appcircle to additional risk.
  • The information needs of affected parties and customers.
  • Regulatory notification obligations and their timelines.
  • The need to inform internal personnel before any public statement.

All communication decisions are documented for retrospective review.

Regulatory notification requirements

Where a personal data breach is identified, Appcircle complies with applicable notification obligations:

  • GDPR Article 33: The relevant supervisory authority is notified without undue delay and, where feasible, within 72 hours of becoming aware of a breach that is likely to result in risk to the rights and freedoms of individuals.
  • GDPR Article 34: Affected data subjects are notified without undue delay where the breach is likely to result in high risk to their rights and freedoms.
  • KVKK Article 12: Equivalent notification obligations under Turkish data protection law are fulfilled.

Customer notification obligations defined in contractual agreements are also respected.

Annual testing

The incident response plans are tested at least annually. Testing may take the form of:

  • Desk-based walkthroughs with key stakeholders.
  • Tabletop exercises using hypothetical incident scenarios.
  • Simulation of specific response procedures.
  • Third-party-led assessments.

Findings from testing are used to update plans and address gaps.

Roles and responsibilities

  • Engineering Management (Policy Owner): Accountable for this policy; ensures readiness, review, and communication; makes final decisions on major incidents and external communications.
  • Engineering / Platform / Operations: Implements and coordinates the incident response process; leads containment, eradication, and recovery activities.
  • All personnel: Report suspected incidents or security concerns promptly through approved internal channels.

Regulatory alignment

This policy supports compliance with:

  • SOC 2 (Trust Services Criteria — Availability, Confidentiality, Common Criteria)
  • ISO/IEC 27001:2022 (A.5.24–A.5.28 Incident management)
  • GDPR (Articles 33 and 34 — Breach notification)
  • KVKK (Article 12 — Data security obligations)

Exceptions

Exceptions to this policy must be:

  • Documented with justification, scope, duration, and compensating controls.
  • Approved by the policy owner or an authorised delegate.
  • Reviewed before expiry and retired when no longer required.

Policy review and updates

This policy is reviewed at least annually and following significant incidents, infrastructure changes, or changes to regulatory requirements.

Note

This public policy describes Appcircle's incident response posture at a high level. Detailed internal response runbooks (including specific escalation paths, system-level recovery procedures, and contact lists) are maintained separately and may be shared under appropriate agreements when required.

  • Information Security Policy
  • Logging and Monitoring Policy
  • Business Continuity and Disaster Recovery Policy
  • Change Management Policy
  • System Access Control Policy
  • Vulnerability Management Policy
  • Data Retention and Disposal Policy