TyriaCore Incident Response & Notification Policy
Last Updated: February 20, 2026
This policy describes Provider's general incident response and notification practices.
This policy is incorporated by reference into the Agreement between Provider and Customer to the extent referenced in an Order Form or otherwise incorporated into the Agreement.
Order of precedence. If there is a conflict between this policy and the Agreement (or an Order Form, SOW, DPA, or BAA), the order of precedence in the Agreement controls. If a DPA or BAA applies, those terms control for Personal Data breaches or PHI breaches to the extent of conflict.
No expanded liability. Provider's limitations of liability, exclusions of damages, and remedies limitations in the Agreement apply.
1. Incident Response Program
Provider maintains a documented incident response plan designed to support:
- detection and triage;
- containment, investigation, and mitigation;
- recovery and post-incident review; and
- communications consistent with legal, security, and confidentiality requirements.
2. Customer Data Security Incidents (General)
A "Customer Data Security Incident" is a confirmed incident that results in:
- unauthorized access to, acquisition of, or disclosure of Customer Data in Provider systems, or
- a confirmed material compromise of the confidentiality, integrity, or availability of Customer Data in Provider systems,
excluding unsuccessful attacks and events that do not result in unauthorized access or such material compromise (e.g., routine pings, port scans, unsuccessful login attempts).
If Provider confirms a Customer Data Security Incident, Provider will notify Customer without undue delay following confirmation, and will provide information reasonably necessary for Customer to understand the nature of the incident and Provider's mitigation steps, consistent with legal and security constraints.