Incident Response — Trust Centre — Compass IoT
Resilience

Trust Centre

Incident Response

A public-facing summary of the basic steps Compass IoT takes when a security incident occurs. This is not the full internal policy.

Last updated May 2026 · Compass IoT Pty Ltd

About this document

We have a documented process for detecting, responding to, and recovering from security incidents.

This page sets out the key steps in that process at a level appropriate for customers, partners, and security reviewers. It applies to all employees, contractors, and vendors with a role in detecting, reporting, or responding to security incidents affecting Compass IoT systems, data, or customers.

Definition

What counts as a security incident

Plan in place

A security incident is any event that compromises or threatens to compromise the confidentiality, integrity, or availability of Compass IoT systems or data. This includes events affecting data held by third-party vendors on our behalf.

  • Unauthorised access to Compass IoT systems, data, or customer accounts.
  • Data breach or confirmed exfiltration of customer or personal data.
  • Ransomware, malware, or destructive attack on Compass IoT infrastructure.
  • Denial of service or platform availability degradation caused by a malicious actor.
  • Credential compromise — including phishing, account takeover, or leaked API keys.
  • Insider threat — intentional or accidental misuse of access by an employee or contractor.
  • Third-party or vendor incident that affects Compass IoT data or platform availability.

Not all incidents are breaches

An incident does not necessarily mean that data has been accessed or stolen. A failed intrusion attempt, a misconfigured access control, or a phishing email that was not acted on are all incidents that require a response — but do not automatically constitute a data breach. Our response process distinguishes between the two and triggers appropriate actions accordingly.

Classification

Incident severity levels

All incidents are classified by severity at the point of detection. Severity determines the speed of response, the personnel involved, and the communication obligations that apply.

Low Level 1

Minor anomaly or policy violation with no evidence of data exposure or system compromise. Contained and remediated without customer impact.

Response: next business day · Customer notification: not required

Moderate Level 2

Confirmed security event with potential for limited data exposure or service degradation. No evidence of widespread impact. Requires investigation and documented remediation.

Response: within 4 hours · Customer notification: if affected

Major Level 3

Confirmed security incident with evidence of data access, exfiltration, or significant service disruption. Likely to affect customers. Leadership team involved immediately.

Response: within 1 hour · Customer notification: within 24 hours

Critical Level 4

Severe incident involving confirmed data breach, ransomware, or full platform compromise. All hands response. Regulatory notification obligations may apply.

Response: immediate · Customer notification: within 72 hours · Regulatory: as required by law

Response process

How we respond to an incident

All incidents follow a structured five-phase response process regardless of severity. The pace and resources applied scale with severity level.

Phase 01

Detection and reporting
  • Incident detected via automated monitoring, employee report, or external disclosure.
  • All employees and contractors are required to report suspected incidents immediately — no delay for investigation first.
  • Incident is logged with initial timestamp, detection source, and available indicators of compromise.

Phase 02

Assessment and classification
  • On-call responder assesses the nature, scope, and potential impact of the incident.
  • Severity level assigned (Low / Moderate / Major / Critical).
  • Initial determination made of whether personal data may be involved.
  • Relevant personnel notified based on severity — engineering lead, leadership team, legal counsel where appropriate.

Phase 03

Containment
  • Immediate steps taken to prevent the incident from escalating or spreading.
  • Affected systems, accounts, or credentials isolated or revoked as required.
  • Evidence preserved for investigation — systems are not wiped before forensic review.
  • Short-term containment measures documented for later review.
  • Initial customer or regulatory communication triggered where severity requires it.

Phase 04

Eradication and recovery
  • Root cause identified and the vulnerability or attack vector removed.
  • Affected systems cleaned, restored from backup, or rebuilt as required.
  • Data integrity verified before services are returned to production.
  • Additional monitoring applied to confirm eradication is complete.
  • Customer communication updated with resolution status.

Phase 05

Post-incident review
  • Post-incident review conducted within five business days of resolution for all Major and Critical incidents.
  • Full timeline, root cause, and contributing factors documented.
  • Preventive actions identified, assigned, and tracked to completion.
  • Post-incident summary shared with affected customers for Major and Critical incidents.
  • Findings used to update detection rules, runbooks, or security controls.

Notification

Our notification obligations

Where a security incident involves a confirmed or suspected breach of personal data, Compass IoT has legal obligations to notify both affected customers and relevant regulatory bodies. These obligations vary by jurisdiction and are assessed as part of the incident classification process.

  • Customers — notified within 72 hours of a confirmed breach affecting their data, regardless of jurisdiction. Notification includes the nature of the incident, data categories affected, and steps being taken.
  • Australia — OAIC — eligible data breaches (likely to result in serious harm) must be reported to the Office of the Australian Information Commissioner within 30 days of becoming aware.
  • UK — ICO — personal data breaches must be reported to the Information Commissioner's Office within 72 hours of becoming aware, where the breach is likely to result in risk to individuals.
  • US — State regulators — breach notification requirements vary by state. Compass IoT will assess obligations under applicable state law and notify as required.

Responsible disclosure

External researchers who discover a suspected vulnerability in Compass IoT's platform are encouraged to report it to trust@compassiot.com with the subject line "Security Vulnerability." We will acknowledge all reports within one business day, keep reporters informed of our response, and not take legal action against researchers who follow responsible disclosure principles.

Testing

How we keep the plan ready

An untested incident response plan offers false confidence. Compass IoT maintains readiness through regular testing and continuous improvement.

  • Tabletop exercises are conducted at least annually, simulating realistic incident scenarios to test the plan and build team familiarity.
  • Detection rules and alerting configurations are reviewed quarterly.
  • Runbooks and contact lists are reviewed and updated at least annually and following any incident.
  • All employees complete security awareness training that includes incident reporting procedures.
  • Post-incident reviews are mandatory for all Major and Critical incidents, with findings incorporated into the plan within 30 days.

Plan review

Plan ownership and review

This Incident Response Plan is owned by the Compass IoT leadership team. It will be reviewed annually, following any Major or Critical incident, and whenever material changes occur to our platform, team structure, or regulatory environment.

Report an incident

Security team

To report a suspected security incident or vulnerability, contact us immediately.