Incident Management Policy

Last updated: February 25, 2026

Last updated: 25 February 2026

This Incident Management Policy describes how Letted Ltd ("Letted", "we", "us", or "our") detects, responds to, and learns from security incidents and personal data breaches.

1. Purpose

No system is immune to incidents. This policy makes sure we have a clear, repeatable process for handling them, meeting our legal obligations, and reducing the chance of the same thing happening again.

2. What Counts as an Incident

An incident is any event that compromises or could compromise the confidentiality, integrity, or availability of personal data or platform systems. Examples include:

  • Unauthorised access to systems or data
  • Accidental loss or disclosure of personal data
  • A security vulnerability being actively exploited
  • Prolonged or unplanned platform downtime
  • Suspicious activity on user accounts

3. Detection and Reporting

All team members are expected to report suspected incidents immediately through our internal communication channels. We also use automated monitoring and alerting to detect issues early.

There is no penalty for reporting a suspected incident that turns out not to be one. We would rather investigate something that turns out to be nothing than miss a real problem.

4. Classification

When an incident is reported, we assess it based on:

  • Severity: How serious is the actual or potential impact?
  • Scope: How many users or records are affected?
  • Data sensitivity: Does the incident involve personal data, financial data, or tenant information?

This classification determines how urgently we respond and whether we need to notify anyone externally.

5. Containment and Resolution

Our immediate priorities are to:

  1. Contain the incident to prevent further damage
  2. Preserve evidence for investigation
  3. Identify the root cause
  4. Fix the underlying issue
  5. Restore normal service

6. Notification

ICO Notification

If a personal data breach is likely to result in a risk to individuals, we notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach, as required by UK GDPR Article 33.

Affected Individuals

Where a breach is likely to result in a high risk to individuals, we notify those individuals directly without undue delay, as required by UK GDPR Article 34.

Landlord Notification

Where the incident involves tenant data processed on behalf of a landlord, we notify the affected landlord promptly so they can fulfil their own obligations as the data controller.

7. Record-Keeping

We maintain a log of all incidents, including:

  • Date and time the incident was detected
  • Description of what happened
  • Classification and severity
  • Actions taken to contain and resolve it
  • Whether external notification was required
  • Outcome of any post-incident review

8. Post-Incident Review

After every significant incident, we carry out a post-incident review. The goal is to understand what happened, what went well, what could be improved, and what changes we should make to prevent a recurrence. We document the findings and track any follow-up actions.

9. Review

This policy is reviewed at least once a year or after any significant incident.

10. Contact

If you need to report a security concern or suspected breach, contact:

Letted Ltd 22 St. Albans Road Bristol, England, BS6 7SJ Email: support@letted.com

Ready to get started?

We streamline everything
so you don't get fined

Add your first property in minutes.

Start free for 30 daysBook a quick walkthrough
Free plan, forever
No percentage fees
Cancel anytime