Ekosistem App
Security Center

Incident Management And Response Policy

How Ekosistem App detects, triages, contains, communicates and recovers from security incidents.

Last updated: May 2026

Purpose & Scope

This policy covers any event that disrupts Ekosistem App's services or compromises the confidentiality, integrity or availability of personal data or systems. It applies to the API, web app, persistent stores, third-party services and people involved.

Severity Classification

Each incident is classified at first contact:

  • SEV1 — Confirmed unauthorized access to personal data, complete service outage, or active exploit.
  • SEV2 — Suspected unauthorized access, partial outage, or critical functionality unavailable.
  • SEV3 — Degraded service, abuse patterns or single-tenant impact.
  • SEV4 — Vulnerability report or low-impact issue requiring tracked remediation.
  • Classification is revised as evidence accumulates.

Response Process

For each incident the engineering team performs the following steps:

  • Detect — alerts from logs, monitoring, vendor status pages or external reports.
  • Contain — restrict the blast radius (revoke tokens via blacklist, disable endpoints, rotate keys, revert deployment).
  • Eradicate — remove the underlying cause, patch and verify.
  • Recover — restore service following the Recovery Operations policy.
  • Learn — produce a post-incident review with action items and timeline.

Communication

Affected parties are notified as follows:

  • For SEV1/SEV2 incidents that affect users, an in-app banner and email update are issued as soon as a credible status is available.
  • Personal-data breaches that meet the GDPR notification threshold are reported to the relevant supervisory authority within 72 hours.
  • Affected data subjects are notified directly when the breach is likely to result in a high risk to their rights and freedoms.
  • Ecosystem owners are informed of incidents that materially affect their communities.
  • A summary of resolved incidents may be published once investigations are closed.

Review & Contact

The incident process is reviewed after every SEV1/SEV2 event and at minimum annually. To report a security incident, email developer@plademy.com.

Developer and Operator
Plademy Oy
Maria 01, Lapinlahdenkatu 16, 00180 Helsinki, Finland
Business-ID: 3386328-3
Other policies
Security Policy
Log Management Policy
OWASP Top 10 Compliance
Supply Chain Risk Management Plan
Recovery Operations Policy
Vulnerability Management Policy
Data Retention And Protection Policy
Infrastructure And Dependency Management Policy
Ekosistem App — Community operating system