Data Breach Policy

This Policy sets out the procedure to ensure an effective approach is in place for managing data breach and information security incidents on Healthchecks.io.

Scope

This Policy relates to all customer data held by Healthchecks.io. The customer data includes both the limited amount of personal data that Healthchecks.io stores (e.g., user email addresses) and business data (check names and descriptions, integration API tokens, IP addresses of client systems, and similar).

Types of Breach

For this Policy, data security breaches include both confirmed and suspected incidents. Types of incidents include but are not limited to:

  • Hacking incidents.
  • Loss or theft of computing devices, data storage devices, or paper records containing sensitive data.
  • Errors or bugs in the Healthchecks.io website or API.
  • Failure of cloud services or cloud storage.
  • Human error.

Reporting an Incident

Any individual who accesses, uses, or manages Healthchecks.io information is responsible for reporting data breach and information security incidents immediately to our Data Protection Officer, PÄ“teris Caune, at contact@healthchecks.io.

Containment

Upon being notified of a suspected or confirmed data breach, the Data Protection Officer (DPO) will determine if the breach is still occurring. If so, the DPO will take the appropriate steps to contain the breach:

  • Shut down the compromised system that led to the data breach.
  • Prevent further unauthorized access to the system.
  • Reset passwords of any compromised accounts.
  • Where applicable, change the access rights to the compromised system and remove external connections to it.

Investigation and Risk Assessment

The DPO will investigate the breach and determine whether there could be severe consequences to affected individuals or organizations:

  • What caused the data breach?
  • When and how did the breach occur?
  • Who might gain access to the compromised data?
  • Does the compromised data affect transactions with any third parties?

Notification

The DPO will notify any affected customers without undue delay. The notification will include a description of when and how the breach occurred and the data involved. It will give specific advice on what they can do to protect themselves, and describe what actions have been already to mitigate the risks.

If the breach involves personal data, the DPO will notify Supervisory Authority within 72 hours of becoming aware of the breach.

The DPO will consider notifying third parties such as the police if criminal activity is suspected.

Evaluation and Response

After resolving the data breach, the DPO will review the cause of the breach. The DPO will evaluate if existing protection and prevention measures and processes are sufficient to prevent similar breaches from occurring. After completing the review, the DPO will prepare and publish a public report of the breach on Healthchecks.io.

This document was last updated on October 28, 2022.