Breach Response
How we detect, assess, and notify (Art. 33/34).
Effective date: April 3, 2026. This document describes our breach detection, assessment, and notification procedures under GDPR Articles 33 and 34.
1. Detection & Containment
We monitor for security events via application audit logs, database access logs, and infrastructure alerts. Upon detection of a potential breach, the incident response team is activated within 1 hour. Affected systems are isolated immediately.
2. Assessment
Within 24 hours of detection, we assess: the nature of the breach, categories of data affected, number of data subjects impacted, likely consequences, and measures taken or proposed. All assessments are documented in our incident register.
3. Notification to Supervisory Authority (Art. 33)
If the breach is likely to result in a risk to rights and freedoms, we notify the relevant supervisory authority within 72 hours of becoming aware. The notification includes: nature of the breach, categories/numbers affected, likely consequences, and remediation measures.
4. Notification to Data Subjects (Art. 34)
If the breach is likely to result in a high risk to rights and freedoms, we communicate directly to affected individuals without undue delay. Notification is made via email and in-platform notification, describing: the nature of the breach, the likely consequences, the measures taken, and contact information for further inquiries.
5. Post-Incident Review
Within 14 days of resolution, we conduct a root-cause analysis, update security measures, and document lessons learned. Affected organizations are provided with a detailed incident report.