By George Curta · Last updated 2026-05-282026-05-28

Incident Response Plan

Document ID: ISMS-POL-003
Version: 1.0
Effective Date: December 29, 2025
Review Date: December 29, 2026
Classification: Internal

1. Purpose#

This Incident Response Plan establishes procedures for detecting, responding to, and recovering from information security incidents affecting anonym.legal systems and data.

2. Scope#

This plan covers:

Security incidents affecting the anonym.legal platform
Data breaches involving customer PII
System compromises and unauthorized access
Service disruptions affecting availability
Malware and ransomware incidents

3. Incident Classification#

3.1 Severity Levels#

Level	Name	Description	Response Time
P1	Critical	Data breach, system compromise, complete outage	Immediate (< 1 hour)
P2	High	Partial service disruption, suspected breach	< 4 hours
P3	Medium	Minor service degradation, security anomaly	< 24 hours
P4	Low	Security policy violation, minor issue	< 72 hours

3.2 Incident Categories#

Category	Examples
Data Breach	Unauthorized access to customer PII, data exfiltration
System Compromise	Malware infection, unauthorized system access
Denial of Service	DDoS attack, resource exhaustion
Account Compromise	Unauthorized account access, credential theft
Vulnerability Exploitation	Zero-day exploit, known vulnerability attack

4. Incident Response Team#

4.1 Roles and Responsibilities#

Role	Responsibilities
Incident Commander	Overall incident coordination, decision making
Technical Lead	Technical investigation and remediation
Communications Lead	Internal/external communications
Legal/Compliance	Regulatory notification, legal guidance

4.2 Contact Information#

Incident response contacts maintained in secure internal documentation.

5. Incident Response Phases#

5.1 Phase 1: Detection and Identification#

Objectives:

Detect security events through monitoring
Identify and classify incidents
Initial assessment of impact

Activities:

Monitor alerts from:
- System logs (journalctl)
- Application logs
- Security monitoring (brute force protection)
- Uptime monitoring
- Error tracking (Sentry)
Initial triage:
- Verify incident is genuine
- Classify severity level
- Document initial findings
Notification:
- Alert incident response team
- Escalate based on severity

5.2 Phase 2: Containment#

Objectives:

Limit incident impact
Preserve evidence
Prevent further damage

Short-term Containment:

Block malicious IP addresses (firewall/brute force protection)
Disable compromised accounts
Isolate affected systems
Revoke compromised credentials

Long-term Containment:

Apply temporary patches
Implement additional monitoring
Prepare for recovery

5.3 Phase 3: Eradication#

Objectives:

Remove threat from environment
Address root cause
Verify threat elimination

Activities:

Remove malware/unauthorized access
Patch vulnerabilities
Reset compromised credentials
Update security configurations
Verify system integrity

5.4 Phase 4: Recovery#

Objectives:

Restore normal operations
Verify system security
Monitor for recurrence

Activities:

Restore from clean backups (Hetzner snapshots)
Rebuild affected systems
Validate system functionality
Implement enhanced monitoring
Gradual service restoration

5.5 Phase 5: Post-Incident#

Objectives:

Document lessons learned
Improve security posture
Update procedures

Activities:

Incident documentation
Root cause analysis
Lessons learned meeting
Update security controls
Update incident response procedures

6. Communication Procedures#

6.1 Internal Communication#

Audience	Method	Timing
Incident Response Team	Secure messaging	Immediate
Management	Email/Phone	Within 1 hour (P1/P2)
All Staff	Email	As needed

6.2 External Communication#

Audience	Method	Timing
Affected Customers	Email	Within 72 hours of breach confirmation
Regulators (GDPR)	Formal notification	Within 72 hours of breach awareness
Media	Press release	As needed, via Communications Lead

6.3 Notification Template (Data Breach)#

Subject: Security Notification - anonym.legal

Dear [Customer],

We are writing to inform you of a security incident affecting your account.

What happened: [Description]
When: [Date/Time]
What data was affected: [Details]
What we are doing: [Actions taken]
What you should do: [Recommendations]

We apologize for any inconvenience and are committed to protecting your data.

For questions, contact: security@anonym.legal

7. Evidence Preservation#

7.1 Evidence Collection#

System logs
Network traffic captures
Memory dumps (if applicable)
File system snapshots
Authentication logs

7.2 Chain of Custody#

Document all evidence handling
Maintain integrity hashes
Secure storage of evidence
Access logging

8. Specific Incident Procedures#

8.1 Data Breach Response#

Immediate Actions:
- Identify scope of breach
- Contain data exposure
- Preserve evidence
Assessment:
- Determine data types affected
- Identify affected individuals
- Assess regulatory obligations
Notification:
- Notify affected individuals (within 72 hours)
- Report to supervisory authority (GDPR)
- Document all notifications

8.2 Account Compromise Response#

Immediate Actions:
- Lock affected account
- Force password reset
- Review account activity
Investigation:
- Determine method of compromise
- Check for lateral movement
- Review related accounts
Remediation:
- Reset credentials
- Enable 2FA
- Notify user

8.3 DDoS Attack Response#

Immediate Actions:
- Activate DDoS protection
- Implement rate limiting
- Contact hosting provider (Hetzner)
Mitigation:
- Block malicious traffic
- Scale resources if needed
- Monitor attack patterns
Recovery:
- Verify service restoration
- Analyze attack vectors
- Update protections

9. Testing and Maintenance#

9.1 Testing Schedule#

Tabletop exercises: Quarterly
Technical drills: Bi-annually
Full simulation: Annually

9.2 Plan Maintenance#

Review after each incident
Annual comprehensive review
Update contact information monthly

10. Document Control#

Version	Date	Author	Changes
1.0	2025-12-29	Security Team	Initial release

About this page

We update this page when our platform or the law changes.

Read our founder note for how we work.

Each change shows up in the timestamp at the top.

We follow these rules

GDPR (EU 2016/679).
ISO/IEC 27001:2022.
NIS2 (EU 2022/2555).
HIPAA safe harbor under 45 CFR § 164.514(b)(2).

Our promise

We do not sell your data.

We do not train models on your text.

We store your files in Germany.

You can delete your account at any time.

You own your work.

Where we run

Our servers live in Falkenstein, Germany.

We use Hetzner. They hold ISO 27001 certification.

All data stays in the EU.

Backups run every day.

Need help?

Email support@anonym.legal.

We reply within one business day.

How we test

We run a full check suite on every release.

Each surface gets its own sweep script and report.

Human reviewers spot-check the output each week.

We track recall and precision on a labelled set.

Bad runs block the deploy.

What we never do

We never sell your information to third parties.
We never train models on what you upload.
We never keep your work after you delete it.
We never share keys with any outside firm.
We never run ads inside the product.

Plans in plain words

We sell credits, not seats.

One credit covers one short job.

Long jobs use a few credits each.

You can top up at any time.

Unused credits roll over each month.

Read the plans page for current rates.

Who built this

A small team of engineers and lawyers built this.

We ship from Europe and work in the open.

Our founder note spells out why we started.

Where to start

How the parts fit

A browser add-on cleans text inside Chrome.

A Word plug-in handles drafts in Office.

A small desktop tool works on whole folders.

An agent protocol link feeds large models safely.

All four share one core engine and one rule set.

Words from our team

We started this work after a lunch about cookies.

One friend kept getting odd ads on her phone.

We asked why a court file leaked through a draft.

We sketched the first build on a napkin that week.

By month three we had a tiny demo for a friend.

She used it on her first case the next day.

Common questions we hear

Can the tool read scanned PDFs? Yes, with OCR.

Does it work on long files? Yes, in small chunks.

Can I roll my own rule set? Yes, save it as a preset.

Does it run offline? The desktop build runs offline.

Do you keep my files? No, the cloud build wipes after each run.

Will it learn from my work? No, we never train on inputs.

A short tour of the workflow

Upload a file or paste a snippet of prose.

Pick the entities you want gone from the draft.

Choose a method: replace, mask, hash, encrypt, or redact.

Press run and watch the side panel show each hit.

Skim the result and tweak any rule that misfired.

Save the cleaned file or send it to a teammate.

Incident Response Plan

1. Purpose#

2. Scope#

3. Incident Classification#

3.1 Severity Levels#

3.2 Incident Categories#

4. Incident Response Team#

4.1 Roles and Responsibilities#

4.2 Contact Information#

5. Incident Response Phases#

5.1 Phase 1: Detection and Identification#

5.2 Phase 2: Containment#

5.3 Phase 3: Eradication#

5.4 Phase 4: Recovery#

5.5 Phase 5: Post-Incident#

6. Communication Procedures#

6.1 Internal Communication#

6.2 External Communication#

6.3 Notification Template (Data Breach)#

7. Evidence Preservation#

7.1 Evidence Collection#

7.2 Chain of Custody#

8. Specific Incident Procedures#

8.1 Data Breach Response#

8.2 Account Compromise Response#

8.3 DDoS Attack Response#

9. Testing and Maintenance#

9.1 Testing Schedule#

9.2 Plan Maintenance#

10. Document Control#

About this page

Related reading

We follow these rules

Our promise

Where we run

Need help?

How we test

What we never do

Plans in plain words

Who built this

Where to start

How the parts fit

Words from our team

Common questions we hear

A short tour of the workflow