Data Breach Policy

Updated: 26 September 2019

Policy

Siteimprove and its affiliates (collectively, “Siteimprove”) make every effort to protect the confidentiality, integrity, and availability of the Confidential Information and Personal Data of employees, customers and vendors. Siteimprove will respond promptly to investigate, contain, and mitigate any security incident that can lead to a Data Breach. Notice of a Data Breach will be provided to affected individuals and/or governmental agencies in accordance with applicable contractual and legal requirements. 

Definitions

  • Confidential Information includes all information of Siteimprove, its employees, and its existing and potential customers, not generally known to the public, in printed, electronic, or any other form or medium. 
  • Personal Data includes any information related to an identified or identifiable natural person. Personal Data includes, but is not limited to: names, addresses, email addresses, and phone numbers.
  • Data Breach is defined as the unauthorized acquisition or access of unencrypted Confidential Information or Personal Data that compromises the confidentiality, integrity, or availability of that information. A Data Breach can occur not only virtually through computer networks but also physically through unauthorized access into Siteimprove locations or computers. A Data Breach can also include any breaches that affect third-party vendors that provide services or hosting to Siteimprove.

Incident response

Siteimprove maintains a Security Incident Response Plan that is based on guidelines from NIST's Computer Security Incident Handling Guide (800-61).

All employees are required to immediately notify the IT Department of any actual or suspected Data Breach – including events that affect third-party vendors.  The IT department will then follow the Security Incident Response Plan in order to:

(i) determine if a Data Breach has taken place, and
(ii) in case a Data Breach has been found, undertake measures to manage the Data Breach.

However, it should be noted that a Data Breach can appear in various forms, so the specific assessment and measures to be taken will always depend on the specific case at hand.

Notification

Following the Security Incident Response Plan, the Breach Notification Team is responsible to handle any communication (internal and external) if a Data Breach has been found. In addition, in case the Data Breach involves Personal Data, the IT Department (more specifically the Information Security Manager as security incident coordinator) will notify Siteimprove Legal as soon as the Personal Data Breach becomes apparent.

Siteimprove Legal will then follow the Data Breach Notification Process in order to determine if a notification of supervisory authorities and affected data subjects is required.

Notification commitment as data processor

Siteimprove in its role as data processor commits to a notification via email to affected data controllers -customers/partners-, specifically to the primary business contact registered upon contract signing, as soon as possible but no later than 48 hours of reasonable suspicion of a Data Breach. If there is an operational impact, an update can also be seen on status.siteimprove.com

Notification commitment as data controller

Siteimprove in its role as data controller commits to a notification via email:

(i)  to affected Siteimprove employees as this is required by applicable law and following the Data Breach Notification Process.

(ii) to affected customers/vendors/partners, when acting as data controller with regards to their employees' Personal Data, as this is required by applicable law and following the Data Breach Notification Process.