Data Breach Notification Procedure

1. Introduction

FrontlineHQ ("we," "our," or "us") takes data security seriously. Despite our best efforts, security incidents can occur. This document outlines our breach response procedure, ensuring we act swiftly and transparently in compliance with the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other applicable regulations.

2. Definition of a Data Breach

A personal data breach is a security incident that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data. This includes, but is not limited to:

• Unauthorized access to databases containing personal data
• Email account compromises that expose personal information
• Lost or stolen devices containing unencrypted personal data
• Malware or ransomware attacks affecting data integrity or availability
• Accidental exposure or disclosure of personal data to unauthorized parties

3. Detection and Identification

We employ multiple layers of monitoring to detect potential breaches as early as possible:

• Automated monitoring: Sentry error tracking and Vercel access logs for anomaly detection
• Database audit logging: Supabase database audit logs to track data access patterns
• Webhook integrity verification: Stripe and Retell webhook signature validation to prevent tampering
• Security reviews: Regular security reviews and vulnerability assessments of our infrastructure
• Reporting channels: Internal employee and contractor reporting channels for suspected incidents

4. Assessment (0–24 Hours)

Upon identification of a potential breach, we immediately take the following steps:

• Isolate affected systems to prevent further exposure or data loss
• Assess scope: Determine what data was affected, how many records were involved, and which users are impacted
• Classify severity as Critical, High, Medium, or Low based on the nature and extent of the breach
• Document timeline and evidence for regulatory reporting and internal review
• Engage incident response team including engineering, legal, and executive leadership
• Risk determination: Evaluate whether the breach is likely to result in risk to the rights and freedoms of affected individuals

5. Notification Timelines

We adhere to the following notification timelines based on applicable regulations:

• GDPR (EEA/UK): Notify the relevant supervisory authority within 72 hours of becoming aware of the breach, unless the breach is unlikely to result in a risk to individuals. Notify affected individuals "without undue delay" if the breach poses a high risk to their rights and freedoms.
• CCPA (California): Notify affected California consumers in the most expedient time possible and without unreasonable delay.
• Other US States: Comply with state-specific breach notification laws, which generally require notification within 30–60 days of discovery.
• Business Users: Notify affected Business Users within 48 hours with details of the breach scope, data affected, and remediation steps being taken.

6. What We Include in Breach Notifications

Our breach notifications include the following information:

• A description of the nature of the breach
• The categories and approximate number of individuals affected
• The categories and approximate number of personal data records affected
• The name and contact details of our data protection point of contact
• A description of the likely consequences of the breach
• A description of the measures taken or proposed to address the breach and mitigate its effects
• Recommendations for affected individuals to protect themselves

7. Remediation

Following a confirmed breach, we undertake the following remediation steps:

• Patch the vulnerability: Identify and fix the underlying security flaw that allowed the breach to occur
• Credential rotation: Force password resets and credential rotation if authentication data was compromised
• Enhanced monitoring: Implement heightened monitoring of affected systems for a minimum of 90 days post-incident
• Post-incident review: Conduct a thorough review within 14 days of the breach to identify root causes and contributing factors
• Procedure updates: Update security procedures and safeguards based on lessons learned from the incident
• User guidance: Provide affected users with recommended protective measures, such as changing passwords or monitoring accounts

8. Reporting a Security Concern

If you believe you have discovered a security vulnerability or suspect a data breach involving FrontlineHQ, please contact us immediately. Early reporting helps us respond quickly and protect affected users.

9. Updates

We may update this Data Breach Notification Procedure from time to time to reflect changes in our security practices, technology, or applicable regulations. Any changes will be posted on this page with an updated "Last updated" date. We encourage you to review this page periodically.