Data Breach Policy

Updated: 18 May 2018

Policy

Siteimprove and its affiliates (collectively, “Siteimprove”) make every effort to protect the confidentiality, integrity, and availability of the Confidential Information and Personal Data of employees, customers and vendors. Siteimprove will respond promptly to investigate, contain, and mitigate any security incident that can lead to a Data Breach. Notice of a Data Breach will be provided to affected individuals and/or governmental agencies in accordance with applicable contractual and legal requirements. 

Definitions

  • Confidential Information includes all information of Siteimprove, its employees, and its existing and potential customers, not generally known to the public, in printed, electronic, or any other form or medium. 
  • Personal Data includes any information related to an identified or identifiable natural person. Personal Data includes, but is not limited to: names, addresses, email addresses, and phone numbers.
  • Data Breach is defined as the unauthorized acquisition or access of unencrypted Confidential Information or Personal Data that compromises the confidentiality, integrity, or availability of that information. A Data Breach can occur not only virtually through computer networks but also physically through unauthorized access into Siteimprove locations or computers. A Data Breach can also include any breaches that affect third-party vendors that provide services or hosting to Siteimprove.

Incident response

Siteimprove maintains a Security Incident Response Plan that is based on guidelines from the National Institute of Standards and Technology's Computer Security Incident Handling Guide (Special Publication 800-61).

All employees are required to immediately notify the IT Department of any actual or suspected Data Breach – including events that affect third-party vendors.  The IT department will then follow the Security Incident Response Plan.

Notification

Siteimprove commits to notify affected individual via email as soon as possible but no later than 72 hours after reasonable suspicion of a Data Breach.