Incident response

Detection, triage, notification timelines, regulatory obligations, and post-mortem process. Maps directly to GDPR Art. 33 and 34 notification duties.

Detection sources

  • Azure Application Insights alerts (latency, error rate, availability)
  • Front Door WAF alerts (attack patterns)
  • Audit log anomalies (unusual access patterns, failed login spikes)
  • Customer reports via clinic portal or email
  • Security scanner findings (govulncheck, gosec, Trivy, staticcheck in CI)
  • Responsible disclosure reports to security@hihumanai.com

Response SLAs

SeverityAcknowledge withinResolve / mitigate withinNotify clinic within
P1 Critical15 minutes4 hours24 hours
P2 High1 hour24 hours72 hours
P3 Medium4 hours7 daysWeekly report
P4 LowNext business dayNext releaseWeekly report

Regulatory notification

  • Personal data breach affecting UK residents - We notify the clinic (controller) within 24 hours. The clinic has a legal obligation to notify the ICO within 72 hours. We provide all technical detail needed.
  • NHS Digital (for NHS clinics) - The clinic notifies NHS Digital per DSPT incident reporting guidance.
  • Clinical safety incident - Our Clinical Safety Officer is notified immediately. MHRA notification within 10 working days if the incident meets their serious adverse event threshold.

GDPR Art. 33 / Art. 34 timeline

Loading diagram…

Post-incident

Every P1 and P2 incident gets a written post-mortem within 5 working days containing:

  • Root cause analysis (5 whys or similar)
  • Timeline of events
  • What worked, what did not
  • Action items with owners and deadlines
  • Update to the hazard log if clinical safety was affected

Post-mortems are shared with affected clinics by default.

How to reach us in an incident

Recent incidents

We publish a quarterly summary of material incidents. Email dpo@hihumanai.com for the current quarter's report.