Data Breach Policy

Effective Date: 1 January 2025

Last Updated: 1 January 2025

FileMinder is committed to protecting the personal data of our users in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This policy outlines our procedures for identifying, reporting, and managing personal data breaches.

What Is a Data Breach?

A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes:

• Unauthorised access to user accounts or databases
• Accidental loss or theft of devices containing personal data
• Ransomware or malware attacks affecting personal data
• Sending personal data to incorrect recipients
• Accidental deletion of personal data without backup

Our Response Process

1. Detection & Containment

Upon discovering or being notified of a potential data breach, we will:

• Immediately investigate to confirm whether a breach has occurred
• Take steps to contain the breach and prevent further data loss
• Preserve evidence for investigation purposes
• Assign an incident lead to manage the response

2. Assessment

We will assess the breach to determine:

• The nature and categories of personal data affected
• The approximate number of individuals affected
• The likely consequences of the breach for affected individuals
• Whether the breach poses a risk to the rights and freedoms of individuals

3. Notification to the ICO

If the breach is likely to result in a risk to the rights and freedoms of individuals, we will notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach, as required under Article 33 of the UK GDPR.

The notification will include:

• A description of the nature of the breach
• The categories and approximate number of individuals affected
• The likely consequences of the breach
• The measures taken or proposed to address the breach

4. Notification to Affected Users

If the breach is likely to result in a high risk to the rights and freedoms of affected individuals, we will notify them without undue delay, as required under Article 34 of the UK GDPR.

Notification will be made via:

• Email to the registered email address on the affected account
• In-app notification upon next login
• SMS to registered phone numbers where applicable

The notification will include:

• A clear description of what happened
• What personal data was involved
• What we are doing to address the breach
• Recommended steps users can take to protect themselves
• Contact details for further enquiries

Types of Data We Hold

FileMinder processes the following categories of personal data that could be subject to a breach:

• Account information (name, email address, phone number)
• Company data (company numbers, filing dates, registered addresses)
• Payment information (processed and stored by Stripe; we do not store card details)
• Usage data (login history, notification preferences)

Preventive Measures

We take the following measures to prevent data breaches:

• All data is encrypted in transit (TLS/SSL) and at rest
• Row Level Security (RLS) policies enforce data isolation between users
• Authentication is managed through Supabase Auth with secure session handling
• Payment processing is handled by Stripe (PCI DSS Level 1 compliant)
• Regular security reviews and dependency updates
• Principle of least privilege for all system access

Record Keeping

We maintain a record of all data breaches, including those that do not meet the threshold for ICO notification. Records include:

• The facts of the breach
• Its effects
• The remedial actions taken

These records are retained for a minimum of 5 years.

Your Rights

If you believe your personal data has been compromised, you have the right to:

• Be informed of the breach without undue delay (where high risk)
• Lodge a complaint with the ICO at ico.org.uk
• Seek compensation for any damage suffered as a result of the breach

Contact

To report a suspected data breach or for questions about this policy:

• Email: hello@fileminder.co.uk
• ICO: ico.org.uk | 0303 123 1113

Governing Law

This policy is governed by the laws of England and Wales and the UK GDPR.