Incident Response Policy

1. Purpose

Teravent Limited is committed to advancing carbon removal responsibly, with a strong emphasis on maintaining secure systems and safeguarding sensitive information. The purpose of this Incident Response Policy is to define Teravent’s approach to identifying, reporting, responding to, and managing incidents involving information security and data breaches. The policy establishes clear responsibilities for staff, outlines the scope of incidents, and sets expectations for reporting, remediation, and feedback mechanisms.

The policy aims to foster a culture of openness, trust, and integrity, ensuring that employees understand how to respond to incidents in a manner that protects the company, its employees, partners, and customers from harm, whether intentional or unintentional. It emphasizes the importance of prompt action, transparency, and adherence to applicable legal and regulatory obligations. The policy will be widely communicated and made readily available to all Teravent personnel whose roles involve information security or the handling of sensitive data.

2. Scope

This Policy applies to all Teravent employees and to all assets owned or managed by the company. Teravent will communicate the expectations and importance of the incident response process to all staff, as well as to external stakeholders such as contractors who interact with Teravent systems. Employees are required to familiarize themselves with the Policy and to follow the procedures relevant to their roles, ensuring consistent and effective management of information security incidents.

3. Definitions

An incident encompasses any event that compromises the confidentiality, integrity, or availability of Teravent’s information or systems. Examples include, but are not limited to, the loss, theft, or unauthorized access to data; unintended modification of information; changes to system hardware, firmware, or software without proper authorization; unplanned service disruptions; and unauthorized use of systems or resources.

A breach is defined as the acquisition, access, use, or disclosure of non-public information in a manner not permitted by applicable laws or regulations, which compromises the security or privacy of that information. Breaches do not include unintentional access or use of information by employees acting in good faith within the scope of their authority, provided that such access does not result in further unauthorized use or disclosure.

4. Policy

Incident Reporting

All employees are required to report any incidents, suspected incidents, or potential vulnerabilities as soon as they are discovered. Reports may be submitted through internal incident management tools, via email to Teravent’s Security Team, or directly to the employee’s Line Manager. Members of the public who identify security vulnerabilities related to Teravent systems are encouraged to submit a report to the designated security contact.

The Security Team actively monitors these channels and initiates an investigation into any reported incidents within three working days of notification.

Incident Response

Upon identification of an incident affecting Teravent’s protected or sensitive information, the company will act immediately to contain the incident and remove any unintended access. A coordinated response will be established through designated communication channels, such as secure messaging platforms, and alternative channels will be used if these are suspected to be compromised.

An Incident Manager, typically an on-call engineer or a senior staff member depending on the severity of the incident, will coordinate the response. The response team may include representatives from Technology, Legal, Communications, Client Services, Human Resources, the affected operational departments, and any other personnel deemed necessary to address the incident.

If the incident involves theft, breach, or exposure of sensitive information, it will be escalated to Teravent’s Leadership Team. The Incident Manager role may then be assumed by a member of Leadership, and all communication related to the incident will be restricted to secure and private channels to prevent unauthorized disclosure.

If legal proceedings, such as prosecution of a criminal, are deemed necessary, Teravent will engage the relevant law enforcement authorities and carefully preserve all evidence in accordance with legal requirements.

Communication and Responsible Disclosure

The Incident Manager will work in collaboration with Teravent’s Legal, Communications, and Human Resources teams to determine the appropriate communication plan for the incident. This plan will cover internal notification to employees, external disclosure to the public, and notification to any individuals or entities directly affected.

Where required by law or regulation, Teravent will notify affected customers and stakeholders about breaches or exposure of sensitive information. For incidents involving third-party providers, Teravent will require that the provider notify the company of any breaches, and Teravent will ensure that affected parties are informed in compliance with regulatory obligations.

If a law enforcement official advises that a notification could compromise a criminal investigation or national security, Teravent will comply with the official guidance. Written instructions specifying the duration of the delay will be followed, and any oral statements will be documented, with notification delayed for no longer than thirty days unless further written guidance is received.

5. Violations and Review

Employees who become aware of potential violations of this Policy are required to report them promptly to their Line Manager. Teravent may take disciplinary action, up to and including termination of employment, against any individual who breaches the Policy.

This Incident Response Policy will be reviewed at least annually to ensure its effectiveness and continued alignment with Teravent’s operational and legal requirements. Updates will be made as necessary to address changes in the threat landscape, regulatory obligations, or internal procedures.