Security & Breach Notification Policy
Effective Date: January 1, 2026 | Last Revised: May 12, 2026 | Version 1.1
Policy Overview
Security Measures
Security Incident Definition
Incident Response Procedures
Breach Notification Requirements
Exceptions to Notification
Remediation Measures Offered
About this Security & Breach Notification Policy. This Policy covers the rules, obligations, and rights that apply to this policy on the Upmos marketplace. Read the full text below; by using our Services you agree to comply with it.
In Plain English (Non-Binding Summary)
1. Policy Overview. This Security & Breach Notification Policy outlines UPMOS's commitment to protecting personal data through comprehensive security measures and transparent breach notification procedures. We comply with GDPR (Articles 32- 3. Security Incident Definition. A security incident is defined as any confirmed or suspected event involving:
This plain-language box is provided for accessibility and readability only. It is not a substitute for the full Policy below, which controls in case of any conflict.
Print, Export & Relevant Links
Table of Contents
- 1. Policy Overview
- 2. Security Measures
- 3. Security Incident Definition
- 4. Incident Response Procedures
- 5. Breach Notification Requirements
- 6. Exceptions to Notification
- 7. Remediation Measures Offered
- 8. Transparency & Reporting
- 9. Third-Party & Vendor Security
- 10. Employee & Contractor Training
- 11. How to Report Security Incidents
- 12. Legal Framework & References
- How Can You Contact Us About This Policy?
- Version History
1. Policy Overview
This Security & Breach Notification Policy outlines UPMOS’s commitment to protecting personal data through comprehensive security measures and transparent breach notification procedures. We comply with GDPR (Articles 32-34), CCPA, LGPD, and other data protection regulations.
Scope
This policy applies to:
- All personal data processed by UPMOS
- All systems storing or transmitting sensitive information
- Third-party processors and vendors
- UPMOS employees and contractors
2. Security Measures
Technical Controls
| Security Measure | Details | Standard |
|---|---|---|
| Encryption in Transit | TLS 1.2+ for all data transmission | NIST |
| Encryption at Rest | AES-256 for database encryption | FIPS 140-2 |
| Access Controls | Role-based access control (RBAC) with principle of least privilege | ISO 27001 |
| Authentication | Multi-factor authentication (MFA) for admin access | NIST SP 800-63B |
| Firewalls & Intrusion Detection | WAF, IDS/IPS systems, DDoS protection | CIS Controls |
| Vulnerability Scanning | Quarterly automated scans + annual penetration testing | OWASP |
Organizational Controls
- Data Protection Impact Assessments (DPIA) for high-risk processing
- Annual security awareness training for all staff
- Background checks for employees with data access
- Strict data deletion procedures upon user request
- Vendor security assessments and agreements (DPA)
- Incident response plan with 24/7 monitoring
- Regular security audits and compliance assessments
Physical Security
- Data centers with restricted access controls
- CCTV monitoring and access logs
- Secure disposal of physical media containing data
- Encryption of all portable devices
3. Security Incident Definition
A security incident is defined as any confirmed or suspected event involving:
- Unauthorized access to personal data
- Accidental or intentional data disclosure
- Loss or destruction of personal data
- Denial of service affecting data availability
- Ransomware or malware infection of systems processing personal data
- Compromise of system integrity or authentication mechanisms
⚠️ Severity Classification
Critical: Affects large numbers of individuals or sensitive data categories (passwords, payment info, SSNs)
High: Limited scope but sensitive data or identifiable information
Medium: Non-sensitive data or minor scope
Low: Theoretical risk with no confirmed data exposure
4. Incident Response Procedures
Immediate (0-2 hours):
Detect incident → Isolate affected systems → Assemble incident response team → Preserve evidence → Determine breach type and scope
Short-Term (2-24 hours):
Complete forensic investigation → Identify root cause → Determine number of affected individuals → Assess personal data types exposed → Contact DPO and legal team
Medium-Term (24-72 hours):
Notify supervisory authorities as required → Prepare user notification → Implement immediate remediation → Document incident details → Communicate with affected parties
Long-Term (1-4 weeks):
Complete remediation measures → Deploy security patches → Conduct root cause analysis → Implement preventive measures → Post-incident review → Update security policies
5. Breach Notification Requirements
Notification Timeline by Jurisdiction
| Jurisdiction | Notification Deadline | Authority Notification | Standard |
|---|---|---|---|
| GDPR (EU/EEA) | Without undue delay (typically 72 hours) | Supervisory authority if high risk | Art. 33-34 |
| CCPA (California) | Without unreasonable delay (30-60 days typical) | California AG if >500 residents | §1798.150 |
| LGPD (Brazil) | Without undue delay (reasonable timeframe) | National authority (ANPD) | Art. 18 |
| UK DPA (UK) | Without undue delay (72 hours) | ICO if high risk | Art. 33-34 |
| PIPEDA (Canada) | Without unreasonable delay | Privacy Commissioner if feasible | PIPEDA S. 8 |
| US State Laws | Without unreasonable delay (varies 30-60 days) | State AG if >500 residents | Varies by state |
Notification Content
Breach notifications will include:
- Description of the breach and data compromised
- Likely consequences for affected individuals
- Measures taken or being taken to address the breach
- Contact point for further information
- Recommended steps individuals can take to protect themselves
6. Exceptions to Notification
Under certain circumstances, notification may be delayed or not required:
Data Not Accessible
If personal data was encrypted or anonymized before unauthorized access, notification is typically not required. However, we assess each case individually to determine actual risk of harm.
Law Enforcement Request
If law enforcement requests delayed notification to protect an investigation, we will comply with official requests while maintaining records of the delay.
Low Risk Assessment
For low-risk incidents affecting minimal individuals with non-sensitive data, notification may be optional under certain jurisdictions. We conduct thorough risk assessments before making this determination.
7. Remediation Measures Offered
Following a confirmed breach, UPMOS provides affected individuals with:
- Free credit monitoring or identity theft protection (if payment data exposed)
- Password reset assistance
- Account security audit and hardening recommendations
- Guidance on enabling multi-factor authentication
- Information about regulatory resources and complaint procedures
- Direct support line for breach-related questions
8. Transparency & Reporting
Breach Register
UPMOS maintains an internal register of all security incidents, breaches, and remediation efforts. This register is available to supervisory authorities upon request and helps us identify patterns and improve defenses.
Annual Security Report
We publish an annual report detailing:
- Number of reported incidents
- Types of incidents
- Individuals affected
- Remediation actions taken
- Security improvements implemented
Data Breaches Notification Summary
2024 YTD: 0 confirmed breaches
2023: 0 confirmed breaches
2022: 0 confirmed breaches
9. Third-Party & Vendor Security
UPMOS requires all data processors and vendors to:
- Sign Data Processing Agreements (DPA) with mandatory security clauses
- Maintain ISO 27001 certification or equivalent
- Conduct annual security audits (SOC 2 Type II preferred)
- Notify UPMOS of security incidents within 24 hours
- Implement encryption of personal data in transit and at rest
- Maintain incident response procedures aligned with UPMOS standards
- Provide breach notification templates and timely communications
10. Employee & Contractor Training
All UPMOS personnel with data access must:
- Complete annual security awareness training
- Sign confidentiality and data protection agreements
- Use company-approved devices with encryption
- Enable multi-factor authentication on all accounts
- Report suspected security incidents immediately
- Follow secure password practices
- Use VPN for remote work connections
11. How to Report Security Incidents
🚨 Urgent Security Incident?
Email: security@upmos.com (monitored 24/7)
Phone: +1 (555) SECURITY (24-hour hotline)
Report Form: upmos.com/report-security-incident
Information to Include
- Your account email and username (if user reporting)
- Description of suspicious activity observed
- Date/time of incident
- Steps you’ve taken to secure your account
- Screenshots or logs (if available)
- Preferred contact method
