Breach Notification Policy

How we notify customers and regulators in the event of a personal data breach.

Version
1.0
Published
April 21, 2026
Next review
April 21, 2027
Approved by
Larry Anglin

1. Purpose and scope

This Breach Notification Policy describes how TheAccessible.org detects, assesses, and notifies affected parties in the event of a personal-data breach — a confirmed security incident leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data processed by the Service.

This policy supplements our Security Overview and the breach obligations set out in the Data Processing Addendum §11.

2. Detection and assessment

We monitor production systems continuously for anomalous access, authentication failures, and data egress. Alerts route to on-call staff 24×7.

On confirmation of a security incident:

  1. An incident commander is assigned within 1 hour.
  2. The incident is classified by severity (P1 critical through P4 informational).
  3. An assessment is started immediately to determine scope, root cause, and whether personal data was affected.
  4. Containment measures (credential rotation, access revocation, network isolation) are applied in parallel with the assessment.
  5. Evidence is preserved for forensic analysis and for any regulatory reporting.

If the assessment concludes that personal data was or is likely to have been compromised, the incident is escalated to a personal-data breach and the notification process in sections 3–5 begins.

3. Customer notification

We will notify affected customers of a personal-data breach without undue delay and in any event within 72 hours of confirmation, consistent with Article 33 GDPR and comparable obligations under U.S. state breach-notification laws.

Notifications are sent to the customer's designated security and billing contacts by email, with a follow-up available through the customer's account.

Where the full picture is not yet available within 72 hours, we will send an initial notification with the information then known and provide further information in phases as the investigation progresses.

4. Content of the notification

Each notification includes, to the extent known:

  • The nature of the breach, including the categories and approximate number of data subjects concerned and the categories and approximate number of personal-data records concerned.
  • The likely consequences of the breach for affected individuals.
  • The measures taken or proposed to address the breach, including mitigations and steps recommended for the customer.
  • Contact information for a named point of contact from whom more information can be obtained (typically security@theaccessible.org).

If any of this information is not yet available, the notification will say so and indicate when an update is expected.

5. Regulatory notification

As a processor (acting on customer instructions), our role is to notify the customer, who as controller is responsible for notifying supervisory authorities and data subjects under applicable law. We will provide reasonable assistance to the customer in meeting those obligations.

As a controller (for personal data we control directly — for example, account and billing data), we will notify:

  • The competent EU/UK supervisory authority within 72 hours of becoming aware of a qualifying breach, as required by Article 33 GDPR / UK GDPR, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons.
  • U.S. state attorneys general, consumer-reporting agencies, and affected residents in accordance with the applicable state breach-notification statutes (including but not limited to California Civ. Code §1798.82, Texas Bus. & Com. Code §521.053, New York GBL §899-aa). Timelines vary by state; we act on the shortest applicable deadline.
  • Other regulators where required by law applicable to our processing (for example, HIPAA HHS notification where a Business Associate Agreement is in place, or PIPEDA notification in Canada).

Where a breach presents a high risk to affected individuals, we will also notify those individuals directly in accordance with Article 34 GDPR and comparable laws.

6. Post-incident reporting

Within 30 days of closing the incident, we provide affected customers with a written post-incident report covering:

  • A timeline of detection, containment, eradication, and recovery.
  • Root-cause analysis.
  • Scope: systems, data categories, and records affected.
  • Remediation completed and planned, with target dates.
  • Lessons learned and changes to controls, playbooks, or training.

Internally, material incidents are reviewed at the next security review, and corrective actions are tracked to completion.

7. Customer cooperation

We expect customers to promptly report any suspected compromise of their own credentials or instances of suspicious activity observed in their accounts to security@theaccessible.org. Timely customer reporting materially shortens our response time and reduces exposure for data subjects.

8. Changes to this policy

We will update this policy as our practices and applicable law evolve. The effective date appears at the top of this page. Prior versions are available from the version history link below.

9. Contact