Incident Response & Breach Notification
Our commitments when security incidents affect the platform or your personal data.
Scope
This policy covers security incidents affecting Thrive systems, subprocessors in our chain, or personal data processed on behalf of users. It applies to Thrive DeFi, LLC and the Thrive platform (app.thrive.fi, thrive.fi).
Detection & response
- Automated monitoring via error tracking, infrastructure logs, database alerts, and payment fraud tools
- On-call platform owner triages severity (P1–P4) within 1 hour of confirmed P1
- Containment: rotate credentials, revoke sessions, disable affected routes if needed
- Eradication and recovery per internal DR runbook
- Post-incident review within 5 business days — root cause, timeline, remediation
Personal data breach notification
Where a breach is likely to result in risk to your rights and freedoms, we will:
- Notify supervisory authorities within 72 hours where required under GDPR / UK GDPR (Article 33)
- Notify affected users without undue delay when required (Article 34) — via email to your account address and/or in-app notice
- Document nature of breach, categories of data, approximate number of subjects, likely consequences, and measures taken
Incidents that do not involve personal data (e.g. brief API outage) are communicated on /status when user-facing.
Subprocessor incidents
We monitor subprocessors in our vendor chain. When a subprocessor reports a breach affecting Thrive data, we assess impact, coordinate with the vendor, and notify users if our data is affected. Processor categories are published on our Subprocessors page; the full vendor list is available under enterprise agreement.
Contact
Security incidents: security@thrive.fi
Privacy / breach notification: privacy@thrive.fi