Incident Response Plan
Procedures for detecting, containing, and reporting security incidents
Version 1.0 — As of: March 2026
This Incident Response Plan (hereinafter "IRP") establishes binding procedures for CONPORT Services GmbH, Alte Benninghofer Str. 24, 44263 Dortmund, Germany (Managing Director: Benjamin Schowe) as the operator of the SaaS platform "Aldric". It applies to all employees and contracted service providers who interact with the Aldric infrastructure or customer data.
§ 1 Purpose
This plan pursues three primary objectives:
- Establish clear, rehearsable procedures for handling security incidents so that all parties can act without coordination overhead when it matters most.
- Ensure compliance with the mandatory notification requirements under GDPR Art. 33 (notification to the supervisory authority within 72 hours) and Art. 34 (notification of affected data subjects).
- Minimise damage to customers, sub-tenants, and the company through rapid containment.
§ 2 Scope
This plan applies to all security incidents affecting the Aldric platform, the underlying infrastructure, or customer data. This includes in particular:
- Unauthorised access to personal data or tenant data
- Data loss or corruption
- Compromise of credentials or systems
- Complete or partial service disruptions caused by attacks
- Detected attack or intrusion attempts (including unsuccessful ones)
- Violations of internal security policies
Technical disruptions without security relevance (e.g., infrastructure outages due to hardware failure) are governed by the Service Level Agreement, not by this plan.
§ 3 Incident Classification
Each incident is assigned a priority level immediately upon initial detection. The classification determines the response time and escalation path.
| Priority | Description | Response Time | Escalation |
|---|---|---|---|
| P1 — Critical | Data breach affecting multiple tenants; complete system outage; active exploitation of a vulnerability (ongoing attack) | Immediate (24/7) | Incident Lead + MD immediately; supervisory authority within 72 h |
| P2 — High | Data breach affecting a single tenant; significant service degradation; suspected breach (unconfirmed) | Within 1 hour | Incident Lead within 1 h; MD within 2 h |
| P3 — Medium | Minor service disruption with security relevance; detected but failed attack attempt; policy violation without data breach | Within 4 hours | Incident Lead within 4 h; MD if required |
| P4 — Low | Informational; anomaly detected without immediate harm; process improvement identified | Next business day | Incident Lead for information; documentation |
The classification may be escalated at any time as new information emerges. Downgrading is only permitted after containment has been confirmed.
§ 4 Notification Timeline (72-Hour Deadline under GDPR Art. 33)
For every incident with a potential impact on personal data, a 72-hour deadline for notifying the supervisory authority begins from the moment of initial detection. The following timeline is mandatory:
| Time Window | Action |
|---|---|
| 0 – 1 h | Initial detection and assessment; designate Incident Lead; assign priority; open incident channel |
| 1 – 4 h | Initiate immediate containment measures; preliminary damage scope assessment; provisionally identify affected systems and data categories |
| 4 – 24 h | Detailed investigation; determine whether personal data is affected and to what extent; forensic preservation of evidence |
| 24 – 48 h | Prepare notification to supervisory authority (GDPR Art. 33); prepare notification for affected customers |
| 48 – 72 h | Submit notification to LDI NRW if personal data is affected; notify affected data subjects if high risk exists (GDPR Art. 34) |
Security incidents are reported to:
State Commissioner for Data Protection and Freedom of Information NRW (LDI NRW)
Online reporting portal: www.ldi.nrw.de
Internal security contact: security@conport.services
§ 5 Provider Cascade (Provider Edition)
The Aldric platform is also operated as a Provider Edition, where customers (Providers) manage their own sub-tenants. The following cascade applies for this configuration:
- CONPORT notifies the Provider customer within 24 hours of confirming an incident that affects their tenant environment — regardless of whether the 72-hour deadline is still running.
- The Provider is independently responsible for forwarding information to their sub-tenants in accordance with their own data protection obligations.
- CONPORT provides the Provider with all information needed for downstream notifications: timestamps, affected data categories, scope of affected individuals (as far as determinable), and measures taken.
- Provider customers may request template notifications for data subjects (GDPR Art. 34) that can be adapted for their sub-tenants and end users.
The responsibilities between CONPORT and the Provider are governed by the Data Processing Agreement (DPA).
§ 6 Incident Response Team
The Incident Response Team consists of the following roles. A deputy is designated for each role and maintained in the internal directory.
| Role | Responsibility |
|---|---|
| Incident Lead | Overall coordination; Managing Director or designated deputy; decides on escalation and external notification |
| Technical Lead | Technical investigation and containment; developer or ops on call; forensic evidence preservation |
| Legal / Compliance | Legal assessment; Data Protection Officer (where appointed); evaluates notification obligations and drafts notifications |
| Communications | Customer communication; status page updates; internal status updates; coordinates press statements if required |
§ 7 Containment and Remediation
7.1 Immediate Actions (0 – 4 Hours)
- Isolate affected systems or tenant environments (network segmentation, access revocation)
- Immediately revoke and rotate compromised credentials
- Preserve system state (snapshots, logs) for forensic traceability
- No deletion of log data until released by the Incident Lead
7.2 Short-Term Actions (4 – 48 Hours)
- Close the vulnerability (patch, configuration change, temporary shutdown)
- Restore from validated backup if data loss has occurred
- Increase monitoring of affected systems for follow-on activity
- Notify affected customers via status page and direct email
7.3 Long-Term Actions (Post-Containment)
- Conduct and document a root cause analysis
- Implement and test a permanent fix
- Update security measures (see also Security Policy)
- Update this plan if gaps were identified
§ 8 Communication
8.1 Internal
- Immediately after classification: open a dedicated incident channel (e.g., a secured chat channel)
- For P1 and P2: status updates every 2 hours within the incident team
- Full documentation of all decisions, actions, and timestamps
8.2 Customers
- Status page (status.aldric.app) updated without delay
- Direct email notification to affected tenant administrators
- Closing notification after remediation with a summary of measures taken
8.3 Supervisory Authority
- Notification to LDI NRW under GDPR Art. 33 if personal data is affected (see template in § 9.1)
- Supplementary notification if new findings emerge after the initial report
8.4 Public
- Public statements only if legally required or deemed appropriate after careful consideration
- Clearance by Incident Lead and legal review before publication
§ 9 Notification Templates
9.1 Notification to Supervisory Authority (GDPR Art. 33)
To: State Commissioner for Data Protection and Freedom of Information NRW (LDI NRW)
Nature of the breach: [Description, e.g. unauthorised access to encrypted customer data]
Date and time of initial detection: [Date, time]
Categories of personal data affected: [e.g. email addresses, contract data]
Approximate number of individuals affected: [Number / tenants]
Likely consequences: [e.g. identity theft, reputational damage]
Measures taken: [e.g. access revoked, password reset enforced, patch applied]
Contact person: CONPORT Services GmbH, Benjamin Schowe, security@conport.services
9.2 Notification to Affected Data Subjects (GDPR Art. 34)
Subject: Important security notice regarding your Aldric account
Dear Sir or Madam,
We are writing to inform you of a security incident that may have affected your data.
What happened: [Brief, plain-language description]
What data is affected: [Data categories]
What we have done: [Measures taken]
What you should do: [e.g. change your password, report suspicious activity]
If you have any questions, please contact us at security@conport.services.
CONPORT Services GmbH, Alte Benninghofer Str. 24, 44263 Dortmund, Germany
§ 10 Post-Incident Review
Every incident classified P3 or higher is reviewed in a post-incident review within 5 business days of closure. The review covers:
- Full root cause analysis: what triggered the incident?
- Incident timeline and evaluation of response speed
- Lessons learned: what worked well, what needs improvement?
- Action plan with owners and deadlines
- Update of the Security Policy and, if necessary, this plan
The review document is archived internally and must be made available to the supervisory authority upon request (GDPR Art. 5(2), accountability principle).
§ 11 Exercises and Testing
An untested incident response plan is not a plan. CONPORT commits to the following regular exercises:
- Annual tabletop exercise: Simulated scenario (e.g., P1 data breach) with the full Incident Response Team; approximately 2 hours; results are documented and incorporated into plan updates.
- Semi-annual notification chain test: Verification that all contact details are current, all team members are reachable, and communication channels function correctly.
- Annual plan revision: Full review and update of this plan; adjusted for changes in infrastructure, legal requirements, or lessons learned from actual incidents.
Related Documents
As of: March 2026