Data Breach Policy

This Policy sets out the procedure to ensure an effective approach is in place for managing data breach and information security incidents on

General Provisions

This policy applies to customer data processed by the Service. The customer data includes both personal data (e.g. user email addresses) and business data (e.g. rules and repositories, API access tokens, etc.)

Types of Breach

For this Policy, data security breaches include both confirmed and suspected incidents. Types of incidents include but are not limited to:

  • Hacking incidents.
  • Loss or theft of computing devices, data storage devices, or paper records containing sensitive data.
  • Errors or bugs in the website or API.
  • Failure of cloud services or cloud storage.
  • Human error.

Reporting an Incident

Any individual who accesses, uses, or manages information is responsible for reporting data breach and information security incidents immediately to our Data Protection Officer, Julius Seporaitis, at info [at] this domain.


Upon being notified of a suspected or confirmed data breach, the Data Protection Officer (DPO) will determine if the breach is still occurring. If so, the DPO will take the appropriate steps to contain the breach:

  • Shut down the compromised system that led to the data breach.
  • Prevent further unauthorised access to the system.
  • Reset passwords of any compromised accounts.
  • Where applicable, change the access rights to the compromised system and remove external connections to it.

Investigation and Risk Assessment

The DPO will investigate the breach and determine whether there could be severe consequences to affected individuals or organisations:

  • What caused the data breach?
  • When and how did the breach occur?
  • Who might gain access to the compromised data?
  • Does the compromised data affect transactions with any third parties?


The DPO will notify any affected customers without undue delay. The notification will include a description of when and how the breach occurred and the data involved. It will give specific advice on what they can do to protect themselves, and describe what actions have been already to mitigate the risks.

If the breach involves personal data, the DPO will notify Supervisory Authority within 72 hours of becoming aware of the breach.

The DPO will consider notifying third parties such as the police if criminal activity is suspected.

Evaluation and Response

After resolving the data breach, the DPO will review the cause of the breach. The DPO will evaluate if existing protection and prevention measures and processes are sufficient to prevent similar breaches from occurring. After completing the review, the DPO will prepare and publish a public report of the breach on

This document was last updated on January 23, 2023.

This Data Breach Policy was adapted from policy.