Data Breach Policy
Last updated: 21 August 2023
Introduction
Railsware Products Studio LLC. (herein, “TitanApps”) may collect, hold, process and share Personal Information that Smart Checklist Add-on users on their free will provide us when submitting support or a feature request, send us an email, or in any other way supply our team with their Personal Information.
TitanApps treats Personal Data with utmost care and works towards ensuring its complete privacy and security at all times. Our team takes the necessary measures to avoid a data breach that could compromise the high level of confidentiality and security that our Add-on offers.
We understand that compromising Personal Data security and confidentiality may bring in a number of negative consequences for both our customers and users, as well as the reputation of our company in general.
Purpose
The Add-on is obliged under the Data Protection Legislation to establish a formal framework, or a set of mechanisms, that are designed to ensure the security of all Personal Data during its lifecycle, including clear lines of responsibility.
This Policy sets out the procedure to follow when managing the Add-on data breach cases and other security incidents.
This Policy covers all types of Personal Information held by TitanApps regardless of format.
This Policy applies to all customers and users of the Smart Checklist Add-on (free cloud, paid cloud, paid server, and paid datacenter versions).
The main goal of this Policy is to make sure that the TitanApps staff is prepared to act quickly in the event of a data breach in order to minimize the risk associated with it, analyze the incident and consider what action is necessary to secure Personal Data and prevent further breaches.
Definitions
GDPR defines a “personal data breach” in Article 4(12) as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized. disclosure of, or access to, personal data transmitted, stored or otherwise processed”.
Data security breaches include both confirmed and suspected incidents.
An incident in the context of this policy is an event or action which may compromise the confidentiality, integrity, or availability of systems or data, either accidentally or deliberately, and has caused or has the potential to cause damage to the TitanApps information assets and/or reputation.
An incident includes but is not restricted to, the following:
loss or theft of data or equipment on which such data is stored (e.g. loss of laptop, USB stick, iPad / tablet device, or paper record)
equipment theft or failure
system failure;
unauthorized use of, access to or modification of data or information systems
attempts (failed or successful) to gain unauthorized access to information or IT system(s)
the disclosure of data
website defacement
hacking attack
unforeseen circumstances such as a fire or flood
human error
‘blagging’ offenses where information is obtained by deceiving the organization that holds it.
Responding to personal data breaches
Any individual who works at TitanApps and has the rights to access, use or manage the information, is responsible for reporting the data breach and information security incidents.
The TitanApps representative who discovered a data breach files an App Security Incident ticket immediately upon their detection and stays available to communicate with the Atlassian security team during resolution and inform them via the ticket when the incident is resolved.
The App Security Incident ticket form includes:
The name of the Add-on
Description of the data breach
Indicate the Severity Level of the incident
Indicate which Atlassian products (and type of license) this Add-on is for
Define the framework which the Add-on uses
The app key - this is your provided app key in the marketplace that's affected by this incident. This helps our Product team prioritize. It may be left blank if not needed.
Any kind of additional documents or screenshots that can help understand the problem better.
Straight after that, the individual reports to the Data Protection Officer (at legal@railsware.com) and Smart Checklist Add-on Support Service (at smartchecklist@railsware.com).
The data breach or security incident report must include:
Description of the data breach which includes the accurate details of the incident
The type of personal information involved
If the incident relates to Personal Information
how many people are involved;
if not - what category of data the incident relates to.
Which systems were affected
The cause of the breach (if known) and how it was discovered
When the incident occurred (the date and time)
Who reports the incident
TitanApps documents the incident using the template which can be found in Appendix 1 to this Policy.
If any of the Add-on users or customers were affected, our team takes the necessary steps to inform them about the data breach, describing:
The nature of the personal data;
Let them know the name and the contact details of the Data Protection Officer who can answer their questions and supply them with more information;
Explain the possible consequences of the incident;
Let them know about the measures takes or suggested to be taken in order to address the incident, and where appropriate, mitigate adverse possible effects.
Containment and recovery
The Data Protection Officer (DPO) will first determine if the breach is still occurring. If so, the appropriate steps will be taken immediately to minimize the effect of the breach.
An initial assessment will be made by the DPO in liaison with the relevant officer(s) to establish the severity of the breach. After that, the DPO will establish whether there is anything that can be done to recover any losses and limit the damage the breach could cause.
The DPO, in liaison with the relevant officer(s) will determine the suitable course of action to be taken to ensure a resolution to the incident.
Investigation and risk assessment
An investigation will be undertaken by the DPO immediately and wherever possible, within 24 hours of the breach being discovered/reported.
The DPO will investigate the breach and assess the risks associated with it, for example, the potential adverse consequences for individuals, how serious or substantial those are and how likely they are to occur.
The investigation will need to take into account the following:
its sensitivity;
the protections are in place (e.g. encryptions);
what has happened to the data (e.g. has it been lost or stolen;
whether the data could be put to any illegal or inappropriate use;
data subject(s) affected by the breach, number of individuals involved, and the potential effects on those data subject(s);
whether there are wider consequences to the breach.
Evaluation and response
Once the initial incident is contained, the DPO will carry out a full review of the causes of the breach; the effectiveness of the response(s), and whether any changes to systems, policies and procedures should be undertaken.
Existing controls will be reviewed to determine their adequacy, and whether any corrective action should be taken to minimize the risk of similar incidents occurring.
The review will consider:
where and how personal data is held and where and how it is stored
where the biggest risks lie including identifying potential weak points within existing security measures
whether methods of transmission are secure; sharing the minimum amount of data necessary;
staff awareness;
implementing a data breach plan and identifying a group of individuals responsible for reacting to reported breaches of security.
If deemed necessary, a report recommending any changes to systems, policies and procedures will be considered by TitanApps.
Policy Review
This policy will be updated as necessary to reflect best practices and to ensure compliance with any changes or amendments to relevant legislation.
Contact details
Contact for all matters related to privacy, including complaints about breaches of privacy, should be directed as follows:
The Data Protection Officer
The Smart Checklist Support Team
E: smartchecklist@railsware.com
Appendix 1
Data Breach Process Form
Section 1: Notification of data security breach | To be completed by a person who reports an incident |
|---|---|
Date and time when an incident was discovered | |
Date and time when an incident occurred | |
Place of an incident | |
Description of a breach
| |
What tools or systems were affected, if any? | |
A brief description of any action that has been taken in order to contain the breach | |
Name of the person reporting a breach | |
Contact details of the person reporting the incident | |
Section 2: Assessment severity | To be completed by the DPO |
What is the nature of the information loss? | |
How much data has been lost? If any of the devices have been lost/stolen, has the device been backed up onto central IT systems? | |
Does the information relate to the Smart Checklist users or customers? | |
How many data subjects are affected? | |
Is the data bound by any contractual security arrangements? | |
Provide the types of information that were affected. | |
Section 3: Actions take | To be completed by the DPO |
Incident number | |
The report reviewed by: | |
On (date): | |
An action was taken by responsible officer/s: | |
Follow up action required/recommended: | |
Reported to other internal or external stakeholders (dates, details) | |
Section 4: Notifications | To be completed by the DPO |
Notification to Atlassian | |
Notification to data subjects | |
Notification to other external, regulator/stakeholder |