Data Breach Response Policy

Overview

The purpose of this policy is to define the goals and the vision for the data breach response process. This document will define with clarity the individuals and stakeholders to whom this applies and the circumstances which fall under it. Also, the document includes the definition of a breach standards and metrics in addition to reporting, remediation, and feedback mechanisms.

This policy document shall be circulated publicly and made easily available to all personnel whose work responsibilities are related to data privacy and security protection. Appy Pie publishes a Data Breach Response Policy to attach due attention to data security and data security breaches and how Appy Pie’s established culture of openness, trust and integrity responds to any such activity. Appy Pie is committed to protecting its employees, partners, and the company from illegal or damaging actions by individuals, either knowingly or unknowingly. Appy Pie is a property of Appy Pie LLP.

Background

It is mandated by the policy that any individual who suspects that a theft, breach or exposure of Personal Data (as defined in our Terms of Use) has occurred must immediately provide a description of the events that transpired via email to security@appypie.com or by calling +1 888 322 7617. This email address and phone number are monitored by T. N. Pandeya, Appy Pie’s CISO. Appy Pie will investigate all reported thefts, data breaches and exposures to confirm if such a theft, breach or exposure has indeed occurred. If it is established that a theft, breach, or exposure has occurred, the CISO follows the prescribed process in place.

Scope

This policy applies to all individuals and stakeholders who collect, access, maintain, distribute, process, protect, store, use, transmit, dispose of, or in any other way handle Personally Identifiable Information (PII) of Appy Pie and its customers’ constituents.

Policy

Confirmed theft, data breach or exposure of Protected data Sensitive data

  1. As soon as a theft, data breach or exposure containing Personal Data is identified, the process of removing all access to that resource will begin.
  2. The CISO will chair an incident response team to handle the breach or exposure.
  3. The CEO will be notified of the theft, breach or exposure. IT, along with the designated forensic team, will analyze the breach or exposure to determine the root cause.

Work with Forensic Investigators

As provided by Appy Pie’s cyber insurance, the insurer will need to provide access to forensic investigators and experts that will determine how the breach or exposure occurred; the types of data involved; the number of internal/external individuals and/or organizations impacted; and analyze the breach or exposure to determine the root cause.

Communication plan

There is a defined plan to communicate the breach to: a) internal employees, b) the public, and c) those directly affected.

  1. Appy Pie will notify all customers whose data is confirmed exposed or stolen within 72 hours of confirmation via email and/or phone.
  2. Appy Pie will work with customers to appropriately report the data breach to all affected parties.