Trust Center policy

TyriaCore Incident Response & Notification Policy

Security incident handling and customer notification process.

Back to Trust CenterBack to the Engine
Document type
Published policy
Public policy page
Last updated
February 20, 2026
Current published revision
Access
Public
No authentication required

TyriaCore Incident Response & Notification Policy

Last Updated: February 20, 2026

This policy describes Provider's general incident response and notification practices.

This policy is incorporated by reference into the Agreement between Provider and Customer to the extent referenced in an Order Form or otherwise incorporated into the Agreement.

Order of precedence. If there is a conflict between this policy and the Agreement (or an Order Form, SOW, DPA, or BAA), the order of precedence in the Agreement controls. If a DPA or BAA applies, those terms control for Personal Data breaches or PHI breaches to the extent of conflict.

No expanded liability. Provider's limitations of liability, exclusions of damages, and remedies limitations in the Agreement apply.

1. Incident Response Program

Provider maintains a documented incident response plan designed to support:

  • detection and triage;
  • containment, investigation, and mitigation;
  • recovery and post-incident review; and
  • communications consistent with legal, security, and confidentiality requirements.

2. Customer Data Security Incidents (General)

A "Customer Data Security Incident" is a confirmed incident that results in:

  • unauthorized access to, acquisition of, or disclosure of Customer Data in Provider systems, or
  • a confirmed material compromise of the confidentiality, integrity, or availability of Customer Data in Provider systems,

excluding unsuccessful attacks and events that do not result in unauthorized access or such material compromise (e.g., routine pings, port scans, unsuccessful login attempts).

If Provider confirms a Customer Data Security Incident, Provider will notify Customer without undue delay following confirmation, and will provide information reasonably necessary for Customer to understand the nature of the incident and Provider's mitigation steps, consistent with legal and security constraints.

3. Document Hierarchy

(a) Personal Data Breach. If a DPA applies, notification obligations for a Personal Data Breach are governed by the DPA to the extent of any conflict. (b) PHI Breach. If a BAA applies, notification obligations for Breach of Unsecured PHI are governed by the BAA to the extent of any conflict.

4. Content of Notices

Notices will include, to the extent known and legally permissible:

  • a description of what happened and when;
  • general categories of data affected;
  • mitigation steps taken or planned;
  • recommended steps Customer can take; and
  • a point of contact for follow-up.

Provider may provide updates as additional information becomes available.

5. Law Enforcement and Legal Restrictions

If Provider is required by law or law enforcement to delay notification, Provider will provide notice when legally permitted.

6. Customer Cooperation

Customer agrees to reasonably cooperate with Provider's investigation, including providing relevant information about Customer configurations and integrations if needed to confirm scope.

7. Contact

Incident communications: contracts@tyria.app