When Something Goes Wrong
We handle sensitive data: your business email. We have a documented incident response plan that covers what to do when things break, and more importantly, how we tell you about it.
How fast we respond
| Severity | Acknowledge | Notify |
|---|---|---|
| Critical: data breach, full outage | 30 minutes | 24 hours |
| High: partial degradation, security anomaly | 4 hours | 24 hours if affected |
| Medium: minor issue, no data at risk | Next business day | On request |
How we tell you about breaches
If your data is compromised, we tell you directly, in plain language, not legalese. What happened, what data was affected, what we're doing about it.
We also notify the relevant data protection authority within 72 hours when required by GDPR. For regulated clients, we can contractually commit to shorter notification SLAs.
After every incident
Every significant incident gets an internal post-mortem within one week: what happened, why, how we're preventing it from happening again. Affected customers receive a summary of relevant findings.
Found a vulnerability?
Email security@onbox.ing. We acknowledge reports within 48 hours, triage within 5 business days, and fix critical issues within 30 days. We don't take legal action against good-faith security researchers.