Security Incident Response Policy

1. INTRODUCTION

This Security Incident Response Policy ("Policy") describes how Uonyx detects, investigates, contains, remediates, and communicates security incidents that affect or may affect the confidentiality, integrity, or availability of Uonyx systems or the data processed through them.

Security incidents pose significant risks to customers, data subjects, and Uonyx's operations. This Policy ensures that incidents are handled in a consistent, documented, and legally compliant manner, and that affected parties are notified in accordance with applicable data protection laws and contractual obligations.

This Policy complements the Uonyx Security Policy (https://uonyx.com/legal/security) and Privacy Policy (https://uonyx.com/legal/privacy), and should be read in conjunction with both.

2. PURPOSE AND SCOPE

This Policy applies to:

• All Uonyx systems, infrastructure, applications, and data environments, including cloud infrastructure, production databases, development and staging environments, and third-party service provider connections
• All categories of data processed by Uonyx, including Platform Data and Customer Data
• All Uonyx personnel, contractors, and sub-processors who handle Uonyx systems or data
• All security events that may constitute a personal data breach, unauthorized access, service disruption, or other security incident

The Policy covers all phases of the incident response lifecycle: detection, triage, containment, investigation, remediation, recovery, notification, and post-incident review.

3. DEFINITION OF A SECURITY INCIDENT

For the purposes of this Policy, a "security incident" is any actual or suspected event that compromises or threatens to compromise the confidentiality, integrity, or availability of Uonyx systems or data. This includes, without limitation:

• Unauthorized access to Uonyx systems, accounts, or data, whether by external actors or insiders
• Accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of personal data (constituting a "personal data breach" under the GDPR)
• Ransomware, malware, or other destructive attacks targeting Uonyx infrastructure or data
• Denial of service attacks that cause material service disruption
• Exploitation of security vulnerabilities in the Uonyx platform or its dependencies
• Loss or theft of devices containing Uonyx data
• Insider threats, including unauthorized use of legitimate access credentials
• Security incidents affecting sub-processors that may impact Uonyx customer data

4. INCIDENT DETECTION

Uonyx operates continuous monitoring and detection capabilities designed to identify potential security incidents in a timely manner. Detection mechanisms include:

• Automated security monitoring using security information and event management (SIEM) systems
• Intrusion detection and prevention systems (IDS/IPS) monitoring network traffic
• Anomaly detection tools monitoring for unusual authentication patterns, API usage, and data access volumes
• Vulnerability scanning and threat intelligence feeds
• Monitoring of cloud infrastructure security events and provider-issued alerts
• Internal security incident reports from Uonyx personnel
• External reports submitted by customers, security researchers, or third parties to security@uonyx.com
• Sub-processor security notifications under contractual reporting obligations

All personnel with access to Uonyx systems are required to report suspected security incidents immediately to security@uonyx.com. Reports should include as much detail as available about the nature, scope, and timing of the suspected event.

5. INCIDENT CLASSIFICATION AND SEVERITY LEVELS

Upon detection of a potential incident, Uonyx's security team assigns a severity classification to guide the urgency and scope of the response. Incidents are classified as follows:

Severity levels may be escalated or de-escalated as the investigation progresses and more information becomes available. All incidents are documented in Uonyx's incident management system regardless of severity.

6. INCIDENT RESPONSE TEAM RESPONSIBILITIES

Uonyx's Incident Response Team (IRT) is responsible for coordinating the response to security incidents. Key roles and responsibilities include:

• Security Lead: Overall coordination of the incident response; technical investigation and containment decisions; communication with senior leadership.
• Infrastructure and Engineering Team: Technical implementation of containment, remediation, and recovery measures; forensic preservation of evidence; system restoration.
• Privacy and Legal Counsel: Assessment of personal data breach implications; determination of notification obligations; coordination with regulatory authorities and legal proceedings.
• Customer Success and Communications: Drafting and delivery of customer notifications; coordination of customer inquiries and support during incidents.
• Executive Management: Authorization of material decisions, including regulatory notifications and major remediation investments; escalation point for P1 incidents.

The IRT may be supplemented by external forensic investigators, legal advisors, or cybersecurity specialists where the scope or complexity of an incident requires specialized expertise.

7. CONTAINMENT PROCEDURES

Upon confirmation of a security incident, the IRT will implement containment measures proportionate to the nature and severity of the incident. Containment actions may include:

• Isolating affected systems, accounts, or network segments to prevent further spread
• Revoking compromised credentials, API keys, or access tokens
• Blocking malicious IP addresses, domains, or traffic patterns at the network or application layer
• Disabling affected integrations or third-party connections
• Deploying emergency patches or configuration changes to close active vulnerability vectors
• Preserving forensic evidence (logs, snapshots, memory dumps) prior to system changes that could overwrite evidence

Containment decisions will balance the need to limit damage against the risk of destroying forensic evidence and the impact on service availability for unaffected customers.

8. INVESTIGATION AND ROOT CAUSE ANALYSIS

Following initial containment, the IRT will conduct a structured investigation to determine:

• The root cause and initial attack vector of the incident
• The timeline of the incident, including the date and time of first access or compromise
• The scope of systems and data affected, including whether personal data was accessed, copied, or destroyed
• The identities, if known, of any threat actors involved
• Whether the incident was caused or contributed to by actions of a sub-processor

Investigation activities may include forensic analysis of system logs, memory artifacts, network traffic captures, and application records. Findings are documented in a formal incident report that is retained for at least five (5) years.

9. REMEDIATION AND RECOVERY

Following the investigation, the IRT will implement remediation measures to address the root cause and restore secure operations. Remediation activities may include:

• Patching or updating vulnerable software components
• Reconfiguring access controls, authentication mechanisms, or network rules
• Replacing or re-provisioning compromised systems or credentials
• Implementing additional monitoring or detection capabilities to identify recurrence
• Updating security policies, procedures, or training in response to findings

Service restoration follows remediation and is subject to verification testing before affected systems are returned to production. The pace of recovery is balanced against the need to ensure that compromised components are fully addressed before reactivation.

10. COMMUNICATION AND NOTIFICATION

Uonyx maintains clear communication protocols for security incidents to ensure that relevant stakeholders are informed promptly and accurately.

10.1 Internal Communication

Internal notifications are issued to relevant teams based on incident severity, following the escalation matrix defined by the IRT. P1 and P2 incidents trigger immediate notification to executive management. All security incidents are logged in the incident management system with status updates at defined intervals.

10.2 Status Page

For incidents affecting service availability, Uonyx will publish status updates on its operational status page at https://status.uonyx.com, in accordance with the commitments in the Uonyx Service Level Agreement.

10.3 Sub-Processor Coordination

Where an incident involves or affects a sub-processor, Uonyx will coordinate with the sub-processor under the security and notification obligations in the applicable data processing agreement. Sub-processors are contractually required to notify Uonyx promptly upon becoming aware of security incidents that may affect Customer Data.

11. CUSTOMER NOTIFICATION

Where a security incident constitutes a personal data breach affecting Customer Data, or otherwise materially affects a customer's use of the Services, Uonyx will notify affected customers in accordance with the applicable Data Processing Agreement and applicable law.

Customer notifications will include, to the extent then known:

• A description of the nature of the incident
• The categories and approximate volume of personal data affected
• The likely consequences of the incident
• The measures Uonyx has taken or proposes to take to address the incident

Initial notifications may be provided before all information is available. Uonyx will issue supplementary notifications as further information is confirmed.

Customers who identify or suspect a security incident affecting their account are encouraged to report it promptly to security@uonyx.com to enable Uonyx to investigate and respond as quickly as possible.

12. REGULATORY NOTIFICATION REQUIREMENTS

Where a security incident constitutes a personal data breach under applicable data protection law, Uonyx will comply with the following regulatory notification obligations:

• GDPR / UK GDPR: Where Uonyx acts as a data controller, a personal data breach involving a risk to the rights and freedoms of individuals must be reported to the competent supervisory authority within 72 hours of becoming aware, and to affected data subjects without undue delay where the breach is likely to result in high risk.
• GDPR (processor role): Where Uonyx acts as a data processor, it will notify the relevant customer (as data controller) without undue delay upon becoming aware of a personal data breach, to enable the customer to fulfil its own regulatory notification obligations.
• CCPA/CPRA: Where applicable, Uonyx will comply with California breach notification requirements, including notification to affected California residents and the California Attorney General in accordance with applicable timescales.
• Other applicable laws: Uonyx will comply with breach notification requirements under other applicable national and state laws in the jurisdictions in which it operates or processes data.

Regulatory notifications are drafted by Uonyx's privacy and legal function and are reviewed before submission. Records of all regulatory notifications are retained as part of the incident record.

13. POST-INCIDENT REVIEW

Following the resolution of every P1 or P2 incident, and significant P3 incidents, Uonyx conducts a formal post-incident review (also known as a "lessons learned" review) within ten (10) business days of incident closure. The review covers:

• An assessment of the incident timeline and the effectiveness of the detection and response
• Identification of any gaps in controls, processes, or systems that enabled or contributed to the incident
• Specific improvement actions, assigned owners, and target completion dates
• Assessment of whether any contractual, regulatory, or legal obligations require further action

Post-incident review findings are documented and tracked through Uonyx's security programme management process. Systemic findings that require policy or procedural changes are escalated for prioritized resolution.

14. CONTINUOUS IMPROVEMENT

Uonyx is committed to continuous improvement of its security incident response capabilities. Measures include:

• Conducting tabletop exercises and simulated incident response drills on at least an annual basis
• Reviewing and updating this Policy at least annually, or following any material incident or change in applicable law
• Incorporating lessons learned from post-incident reviews into training, tooling, and process improvements
• Maintaining threat intelligence relationships to stay informed of emerging attack techniques and vulnerabilities relevant to the Uonyx platform
• Engaging qualified independent security firms for periodic penetration testing and security assessments

For questions about this policy or to submit a request, please contact Uonyx using the details below.