Data Breach Notification Policy
Data Breach Notification Policy
Last Updated: March 2026
1. Purpose and Scope
This Data Breach Notification Policy ("Policy") establishes the procedures that InspectU, ("InspectU") follows in the event of a personal data breach or security incident. This Policy applies to all Personal Data processed by InspectU in connection with the InspectU platform and related services.
This Policy is designed to ensure compliance with applicable data protection laws, including the GDPR, UK GDPR, CCPA, PIPEDA, the Australian Privacy Act 1988 (Notifiable Data Breaches scheme), and applicable U.S. state breach notification laws.
2. Definitions
| Term | Definition |
| Personal Data Breach | A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed (as defined in GDPR Article 4(12)). |
| Security Incident | Any event that indicates that InspectU's information security policies or controls may have been compromised, including but not limited to unauthorized access attempts, malware infections, phishing attacks, system misconfigurations, and anomalous activity. A Security Incident may or may not constitute a Personal Data Breach. |
| Data Controller | The entity that determines the purposes and means of processing Personal Data. In the context of InspectU's services, this is typically the Customer. |
| Data Processor | InspectU, which processes Personal Data on behalf of the Controller. |
3. Internal Discovery and Escalation
3.1 Reporting Obligations
All InspectU employees, contractors, and service providers must report any suspected or confirmed data breach or security incident immediately upon discovery to:
- Email: security@inspectupro.com
Reports should include as much detail as possible, including what happened, when it was discovered, what systems or data may be affected, and any immediate actions taken.
3.2 Initial Assessment
Upon receiving a report, the Breach Response Team shall conduct an initial assessment within 4 hours of discovery. The initial assessment shall determine:
- Whether a Personal Data Breach has occurred or is ongoing.
- The scope and severity of the incident.
- Whether immediate containment measures are required.
3.3 Classification
Following the initial assessment, the incident shall be classified as:
- Confirmed Personal Data Breach: A security incident that has resulted in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
- Security Incident (Non-Breach): A security event that did not result in a compromise of Personal Data but requires investigation and potential remediation.
4. Breach Assessment
For confirmed Personal Data Breaches, the Breach Response Team shall conduct a thorough assessment, documenting:
- Nature of the breach: Whether it involves confidentiality (unauthorized disclosure), integrity (unauthorized alteration), or availability (loss or destruction) of Personal Data.
- Categories of data subjects affected: e.g., employees, end users, administrators, third-party contacts, inspected individuals.
- Approximate number of data subjects affected.
- Categories of Personal Data records affected: e.g., names, emails, login credentials, inspection data.
- Approximate number of Personal Data records affected.
- Likely consequences for data subjects: e.g., identity theft, financial loss, reputational damage, loss of confidentiality.
- Measures taken or proposed to address the breach and mitigate its adverse effects.
5. Notification Timelines
InspectU shall comply with the following notification timelines:
| Recipient | Timeline and Requirements |
| EU/EEA Supervisory Authority (GDPR) | Within 72 hours of becoming aware of a breach likely to result in a risk to data subjects' rights and freedoms (Article 33 GDPR). |
| UK Information Commissioner's Office (UK GDPR) | Within 72 hours of becoming aware of a breach likely to result in a risk to data subjects' rights and freedoms. |
| Affected Individuals (GDPR/UK GDPR) | Without undue delay where the breach is likely to result in a high risk to the rights and freedoms of individuals (Article 34 GDPR). |
| Affected Customers (as Data Controllers) | Within 48 hours of InspectU becoming aware of a confirmed Personal Data Breach affecting the Customer's data. |
| California Attorney General (CCPA) | If the breach affects more than 500 California residents, notification to the California Attorney General is required. |
| Canadian Privacy Commissioner (PIPEDA) | As soon as feasible if the breach creates a real risk of significant harm to affected individuals. |
| Australian OAIC (NDB Scheme) | As soon as practicable, and in any event within 30 calendar days of becoming aware of a breach likely to result in serious harm. |
| State Attorneys General (U.S.) | In accordance with individual state breach notification laws, which may require notification within specified timeframes (commonly 30 to 60 days). |
6. Content of Notifications
6.1 To Supervisory Authorities
Notifications to supervisory authorities shall include:
- The nature of the Personal Data Breach, including categories and approximate numbers of data subjects and records affected.
- The name and contact details of InspectU's Data Protection Officer or other contact point.
- A description of the likely consequences of the breach.
- A description of the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects.
6.2 To Affected Individuals
Notifications to affected individuals shall include:
- A clear, plain-language description of the nature of the breach.
- The name and contact details of InspectU's Data Protection Officer or other contact point.
- A description of the likely consequences of the breach.
- A description of the measures taken or proposed to address the breach.
- Specific steps that individuals can take to protect themselves (e.g., changing passwords, monitoring accounts, credit monitoring services).
6.3 To Customers (as Controllers)
Notifications to affected Customers shall include:
- The nature of the breach and how it was discovered.
- Categories of Personal Data affected.
- Approximate number of data subjects and records affected.
- Measures taken or proposed to contain and remediate the breach.
- Recommended actions for the Customer to take.
- Contact information for ongoing communication regarding the breach.
7. Record-Keeping
InspectU shall maintain detailed records of all Personal Data Breaches and Security Incidents, regardless of whether notification to a supervisory authority or data subjects is required. Records shall include:
- The facts relating to the breach, including date of discovery and date of containment.
- The effects and consequences of the breach.
- Remedial actions taken.
- Decisions regarding notification (including rationale if notification was not made).
- All communications related to the breach.
Breach records shall be retained for a minimum period of 5 years from the date of the breach.
8. Post-Breach Review
Following the resolution of any confirmed Personal Data Breach, InspectU shall:
- Conduct a root cause analysis within 30 calendar days of the breach resolution.
- Implement remedial measures to prevent recurrence of similar breaches.
- Update security measures, policies, and procedures as appropriate.
- Brief leadership, the Board (if applicable), and affected teams on the breach, its impact, and corrective actions.
- Update this Policy and related procedures if deficiencies are identified.
9. Breach Response Team
InspectU maintains a Breach Response Team responsible for managing data breach incidents. The team includes:
| Role | Responsibilities |
| Incident Lead | Overall coordination of breach response; decision-making authority; communication with executive leadership. |
| Data Protection Officer / Privacy Lead | Assessment of data protection implications; coordination of regulatory notifications; liaison with supervisory authorities. |
| Security Engineer | Technical investigation, containment, and remediation; forensic analysis; evidence preservation. |
| Legal Counsel | Legal risk assessment; regulatory compliance; coordination of notifications to affected individuals and authorities. |
| Communications Lead | Internal and external communications; customer notifications; media response (if applicable). |
| Customer Success Lead | Direct communication with affected customers; coordination of customer-specific remediation efforts. |
10. Testing and Training
InspectU shall:
- Conduct annual breach simulation exercises (tabletop exercises) to test the effectiveness of this Policy and the Breach Response Team's preparedness.
- Provide annual training to all employees on data breach identification, reporting, and response procedures.
- Review and update this Policy at least annually, or more frequently if required by changes in applicable law or lessons learned from incidents.
- Document the results of all simulation exercises and training sessions.