Back to Home

Breach Notification Policy

Data Breach Response Procedures

Last updated: March 3, 2026

1. Purpose

This policy outlines Chatlo Notes's procedures for detecting, responding to, and notifying affected parties in the event of a personal data breach, in compliance with GDPR Article 33/34, CCPA, and India's DPDPA.

2. What Constitutes a Data Breach

A personal data breach is a security incident that leads to the accidental or unlawful:

  • Destruction — Data is permanently lost or corrupted beyond recovery.
  • Loss — Data can no longer be accessed by authorized users.
  • Alteration — Data is modified without authorization.
  • Unauthorized disclosure — Data is shared with or accessed by unauthorized parties.
  • Unauthorized access — An unauthorized person gains access to personal data systems.

3. Response Timeline

0 – 4 hours

Detection & Containment

  • Identify and confirm the breach
  • Contain the breach to prevent further data loss
  • Preserve evidence for investigation
  • Activate the incident response team

4 – 24 hours

Assessment & Documentation

  • Determine the scope and severity of the breach
  • Identify categories and volume of affected data
  • Assess risk to affected individuals
  • Document all findings and actions taken

24 – 72 hours

Notification

  • Notify relevant supervisory authorities (within 72 hours per GDPR)
  • Notify affected individuals if high risk to their rights and freedoms
  • Notify business customers (Controllers) per DPA obligations
  • Provide details: nature of breach, data affected, measures taken

72+ hours

Remediation & Review

  • Implement measures to prevent recurrence
  • Conduct post-incident review
  • Update security policies and procedures as needed
  • Document lessons learned

4. Notification Content

Breach notifications will include:

  • Nature of the personal data breach
  • Categories and approximate number of data subjects affected
  • Categories and approximate number of personal data records affected
  • Name and contact details of the Data Protection Officer
  • Likely consequences of the breach
  • Measures taken or proposed to address the breach
  • Recommendations for affected individuals to protect themselves

5. Notification Channels

  • Supervisory authorities — Formal written notification within 72 hours.
  • Affected individuals — Email notification using registered email addresses.
  • Business customers — Direct notification per DPA terms plus email.
  • Public disclosure — If required by law or if individual notification is not feasible, a notice will be posted on our website.

6. Preventive Measures

We take the following steps to minimize breach risk:

  • Encryption of all data in transit (TLS 1.3) and at rest (AES-256)
  • OAuth 2.0 authentication — no password storage
  • Firestore security rules enforcing per-user data isolation
  • Regular review of access controls and security configurations
  • Dependency vulnerability monitoring
  • Infrastructure hosted on Google Cloud with SOC 2/ISO 27001 certifications

7. Reporting a Suspected Breach

If you suspect a data breach or security vulnerability, please report it immediately:

Security team: security@chatlo.io

Privacy / DPO: privacy@chatlo.io

General support: support@chatlo.io

8. Record Keeping

All data breaches, whether or not they require notification, will be documented in an internal breach register. This register includes details of the breach, its effects, remedial actions taken, and reasoning for notification decisions. Records are retained for a minimum of 5 years.