> ## Documentation Index
> Fetch the complete documentation index at: https://docs.botbrains.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Breach Notification Policy

> Breach Notification Policy defines our obligations and timelines for notifying authorities and affected parties of a data breach

export const PolicyVersion = ({version, effective}) => <p><strong>Version {version}</strong> · Effective {effective}. Change history is tracked in version control.</p>;

The Breach Notification Policy defines what botBrains does once it confirms an incident involves personal data: who we tell, what we tell them, and by when. It extends the [Incident Management Policy](/trust/policies/incident-management-policy), which remains the canonical home for detection, triage, containment, and root cause analysis. This policy covers only the notification obligations that follow.

<Warning>
  botBrains is **not yet ISO 27001 certified**. We are preparing our ISMS and writing these policies as part of pursuing certification, and we fully intend to get our controls attested.
</Warning>

<PolicyVersion version="1.0" effective="July 1, 2026" />

## Scope

This policy applies to any personal data breach affecting data that botBrains processes, whether discovered by botBrains, a customer, or a subprocessor. A **personal data breach** is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data.

## Our role determines our obligation

botBrains processes data in two roles, and the role sets who we must notify. See [/trust/gdpr](/trust/gdpr).

| Data                                    | botBrains role                     | Primary obligation on breach                                                                                       |
| --------------------------------------- | ---------------------------------- | ------------------------------------------------------------------------------------------------------------------ |
| Conversation and end-user personal data | Processor (customer is controller) | Notify the affected customer without undue delay so the controller can meet its own GDPR Article 33 and 34 duties. |
| Account and billing data                | Controller                         | Notify the competent supervisory authority and, where required, affected individuals directly.                     |

## Notification timelines

| Recipient                      | Trigger                                                                                                 | Deadline                                                                 |
| ------------------------------ | ------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------ |
| Affected customer (controller) | botBrains, as processor, becomes aware of a breach affecting their data                                 | Without undue delay after becoming aware                                 |
| Supervisory authority          | botBrains, as controller, has a breach likely to result in a risk to individuals' rights and freedoms   | Without undue delay, within 72 hours of becoming aware (GDPR Article 33) |
| Affected individuals           | botBrains, as controller, has a breach likely to result in a **high** risk to their rights and freedoms | Without undue delay (GDPR Article 34)                                    |

"Becoming aware" means the point at which botBrains has a reasonable degree of certainty that a security incident has compromised personal data. If botBrains can't notify the authority within 72 hours, it explains the delay and may provide information in phases as it becomes available.

## What a notification contains

Each notification describes, to the extent known, the nature of the breach including the categories and approximate number of individuals and records affected, the likely consequences, the measures botBrains has taken or proposes to take to address the breach and mitigate harm, and a contact point for further information. Where botBrains is the processor, it provides this information to the customer so the controller can notify in turn. Where encryption or other measures render the data unintelligible to unauthorized parties (see [Cryptography Policy](/trust/policies/cryptography-policy)), botBrains takes this into account when assessing risk to individuals.

## Process

The CISO determines whether a confirmed incident is a personal data breach as part of the response lifecycle in the [Incident Management Policy](/trust/policies/incident-management-policy). On that determination the CISO assesses the risk to individuals, identifies which recipients listed earlier to notify and by when, drafts and sends the notifications, and records every notification (recipient, time sent, and content) in the incident log ([Employees Only: Breach register](https://app.notion.com/p/390481da93cf8187b9e9000c7489b8bb)), following the [Employees Only: Data Breach playbook](https://app.notion.com/p/390481da93cf819c9c3ff394c1712897). Where a subprocessor notifies botBrains of a breach, the CISO treats that notice as the point of awareness and runs the same process. botBrains honors contractual notification terms in customer agreements and Data Processing Agreements alongside the statutory deadlines listed earlier.

## Record keeping

botBrains documents every personal data breach regardless of whether the law requires notification, including the facts, its effects, and the remedial action taken, so it can show the record to a supervisory authority. botBrains retains records in line with the [Data Retention Policy](/trust/policies/data-retention-policy).

## ISO 27001 mapping

This policy supports Annex A 5.26 (response to information security incidents) and gives effect to GDPR Articles 33 and 34. It works together with the [Incident Management Policy](/trust/policies/incident-management-policy) (Annex A 5.24-5.28).

## Enforcement and exceptions

Failure to escalate a suspected breach in time is a serious policy violation and may lead to disciplinary action. The CISO must approve and record any exception with a reason and an expiry date.

## Review

The CISO owns this policy and reviews it at least annually and on any material change.
