Data Breach Policy

Updated: 18 May 2018


Siteimprove and its affiliates (collectively, “Siteimprove”) make every effort to protect the confidentiality, integrity, and availability of the Confidential Information and Personal Data of employees, customers and vendors. Siteimprove will respond promptly to investigate, contain, and mitigate any security incident that can lead to a Data Breach. Notice of a Data Breach will be provided to affected individuals and/or governmental agencies in accordance with applicable contractual and legal requirements. 


  • Confidential Information includes all information of Siteimprove, its employees, and its existing and potential customers, not generally known to the public, in printed, electronic, or any other form or medium. 
  • Personal Data includes any information related to an identified or identifiable natural person. Personal Data includes, but is not limited to: names, addresses, email addresses, and phone numbers.
  • Data Breach is defined as the unauthorized acquisition or access of unencrypted Confidential Information or Personal Data that compromises the confidentiality, integrity, or availability of that information. A Data Breach can occur not only virtually through computer networks but also physically through unauthorized access into Siteimprove locations or computers. A Data Breach can also include any breaches that affect third-party vendors that provide services or hosting to Siteimprove.

Incident response

As part of the information security policy, Siteimprove maintains a Security Incident response plan that is based on guidelines from NIST ( 800-61 ).

All employees are required to immediately notify the IT Department of any actual or suspected Data Breach – including events that affect third-party vendors.  The IT department will then follow the Security Incident Response Plan.


Siteimprove commits to a notification via email to affected data controllers -customers/partners-, specifically to the primary business contact registered upon contract signing, as soon as possible but no later than 48 hours of reasonable suspicion of a Data Breach. If there is an operational impact, an update can also be seen on