Skip to main content
Draft pending counsel review.
Last updated: 27 May 2026 This Policy describes how Brand Atlas responds to personal data breaches and notifies affected parties.

1. The standard

In the event of a personal data breach affecting customer data, we notify affected customers (and supervisory authorities where required) within 72 hours of becoming aware of the breach. This standard meets GDPR Article 33, UK GDPR, and equivalent requirements under PDPL and other applicable laws. For breaches that pose high risk to data subjects, we notify data subjects without undue delay, as required by GDPR Article 34.

2. What counts as a breach

A personal data breach is a security incident leading to:
  • Accidental or unlawful destruction of personal data.
  • Loss of personal data.
  • Alteration of personal data.
  • Unauthorised disclosure of personal data.
  • Unauthorised access to personal data.
Not every security incident is a breach. An attempted intrusion that did not succeed is not a breach. A vulnerability that exists but has not been exploited is not a breach (it is a vulnerability, handled through the Vulnerability Disclosure process). Loss of service availability that did not affect data confidentiality, integrity, or availability is not a breach.

3. Detection

We detect breaches through:
  • Internal monitoring. Automated alerts on anomalous patterns (failed sign-ins at scale, unexpected outbound traffic, suspicious database access).
  • Customer reports. Customers reporting unusual activity on their accounts.
  • Researcher reports. Through the vulnerability disclosure channel.
  • Sub-processor notifications. Sub-processors are contractually required to notify us within 48 hours of breaches affecting our data.
  • Authority notifications. Where authorities inform us of an issue.

4. Response process

On detection of a possible breach:
  1. Triage. Assess whether the incident meets the breach definition.
  2. Assemble. Bring the response team together (security lead, legal lead, customer success lead).
  3. Contain. Stop the breach from continuing (revoke compromised credentials, isolate affected systems, block attacker access).
  4. Investigate. Determine the scope: what data, whose data, how, when, by whom.
  5. Notify. Within 72 hours of confirmed breach: affected customers, supervisory authorities (where required by GDPR/PDPL/CCPA), and data subjects where high risk.
  6. Remediate. Apply the fix that prevents recurrence.
  7. Post-incident review. Document the incident, root cause, response timeline, and lessons learned.
  8. Improve. Roll the lessons into the security programme.

5. Notification content

Notifications include:
  • The nature of the breach.
  • The categories and approximate number of data subjects affected.
  • The categories and approximate number of records affected.
  • The likely consequences.
  • The measures taken or proposed to address and mitigate.
  • The contact for further information.
We send notifications via email to the brand owner of each affected atlas. For breaches affecting data subjects beyond Brand Atlas’s direct customers (where the customer is the controller), we provide the customer with the information needed to notify their data subjects.

6. Notification to authorities

  • GDPR / UK GDPR: Within 72 hours of becoming aware, where the breach is likely to result in risk to data subjects.
  • PDPL (UAE): As required by the Executive Regulation; we align with the 72-hour standard.
  • CCPA / CPRA: California Attorney General notification where required (breaches affecting 500+ California residents).
  • Other jurisdictions: As applicable law requires.

7. Notification to data subjects

Where the breach is likely to result in high risk to data subjects’ rights and freedoms, we notify them directly without undue delay, per GDPR Article 34 and equivalent provisions. The notification uses plain language and includes:
  • The nature of the breach.
  • The likely consequences.
  • The measures taken.
  • Steps the data subject can take to protect themselves.
  • A contact for further information.
We may communicate publicly (e.g., via the status page or a notice on the marketing site) where individual notification is disproportionately difficult.

8. Communication discipline during incidents

During an open incident:
  • Customer notifications are coordinated through a single, accountable channel.
  • The status page is updated as facts are confirmed.
  • We do not speculate publicly; we share what we know and what we are still investigating.
  • We update affected customers as the investigation progresses, not only at the end.

9. Coordination with customers as controllers

Where the customer is the Controller of personal data processed by the Service, our notification to the customer enables the customer to make their own notifications to their data subjects and supervisory authorities. We provide the technical and forensic information the customer needs to make those notifications credibly.

10. Documentation

All breaches and suspected breaches are documented in an internal incident register, including:
  • Date and time of detection and resolution.
  • Nature and scope.
  • Response actions taken.
  • Notifications made.
  • Root cause analysis.
  • Remediation plan.
The register is reviewed quarterly.

11. Reporting suspected incidents

Customers who suspect a breach affecting their atlas should write to security@brandatlas.pro immediately. We treat these reports as priority.

12. Changes

We may update this Policy as our practices, the regulatory landscape, or the threat environment evolves.

What changed

  • 27 May 2026: Initial draft published for counsel review.