Skip to main content
The Breach Notification Policy defines what botBrains does once it confirms an incident involves personal data: who we tell, what we tell them, and by when. It extends the Incident Management Policy, which remains the canonical home for detection, triage, containment, and root cause analysis. This policy covers only the notification obligations that follow.
botBrains is not yet ISO 27001 certified. We are preparing our ISMS and writing these policies as part of pursuing certification, and we fully intend to get our controls attested.

Scope

This policy applies to any personal data breach affecting data that botBrains processes, whether discovered by botBrains, a customer, or a subprocessor. A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data.

Our role determines our obligation

botBrains processes data in two roles, and the role sets who we must notify. See /trust/gdpr.
DatabotBrains rolePrimary obligation on breach
Conversation and end-user personal dataProcessor (customer is controller)Notify the affected customer without undue delay so the controller can meet its own GDPR Article 33 and 34 duties.
Account and billing dataControllerNotify the competent supervisory authority and, where required, affected individuals directly.

Notification timelines

RecipientTriggerDeadline
Affected customer (controller)botBrains, as processor, becomes aware of a breach affecting their dataWithout undue delay after becoming aware
Supervisory authoritybotBrains, as controller, has a breach likely to result in a risk to individuals’ rights and freedomsWithout undue delay, within 72 hours of becoming aware (GDPR Article 33)
Affected individualsbotBrains, as controller, has a breach likely to result in a high risk to their rights and freedomsWithout undue delay (GDPR Article 34)
“Becoming aware” means the point at which botBrains has a reasonable degree of certainty that a security incident has compromised personal data. If botBrains can’t notify the authority within 72 hours, it explains the delay and may provide information in phases as it becomes available.

What a notification contains

Each notification describes, to the extent known, the nature of the breach including the categories and approximate number of individuals and records affected, the likely consequences, the measures botBrains has taken or proposes to take to address the breach and mitigate harm, and a contact point for further information. Where botBrains is the processor, it provides this information to the customer so the controller can notify in turn. Where encryption or other measures render the data unintelligible to unauthorized parties (see Cryptography Policy), botBrains takes this into account when assessing risk to individuals.

Process

The CISO determines whether a confirmed incident is a personal data breach as part of the response lifecycle in the Incident Management Policy. On that determination the CISO assesses the risk to individuals, identifies which recipients listed earlier to notify and by when, drafts and sends the notifications, and records every notification (recipient, time sent, and content) in the incident log (Employees Only: Breach register), following the Employees Only: Data Breach playbook. Where a subprocessor notifies botBrains of a breach, the CISO treats that notice as the point of awareness and runs the same process. botBrains honors contractual notification terms in customer agreements and Data Processing Agreements alongside the statutory deadlines listed earlier.

Record keeping

botBrains documents every personal data breach regardless of whether the law requires notification, including the facts, its effects, and the remedial action taken, so it can show the record to a supervisory authority. botBrains retains records in line with the Data Retention Policy.

ISO 27001 mapping

This policy supports Annex A 5.26 (response to information security incidents) and gives effect to GDPR Articles 33 and 34. It works together with the Incident Management Policy (Annex A 5.24-5.28).

Enforcement and exceptions

Failure to escalate a suspected breach in time is a serious policy violation and may lead to disciplinary action. The CISO must approve and record any exception with a reason and an expiry date.

Review

The CISO owns this policy and reviews it at least annually and on any material change.