Breach Notification Policy
Last Updated: February 23, 2026
This Breach Notification Policy establishes PlanXpress's procedures for notifying affected parties in the event of a Personal Data breach, in compliance with GDPR, CCPA, and other applicable data protection regulations.
1. Purpose and Scope
This policy defines:
- What constitutes a notifiable Personal Data breach
- Who must be notified and when
- What information must be disclosed
- How notifications will be communicated
- Remediation and support measures for affected parties
2. Definition of Personal Data Breach
A Personal Data breach means a breach of security leading to the accidental or unlawful:
- Destruction of Personal Data
- Loss of Personal Data
- Alteration of Personal Data
- Unauthorized disclosure of Personal Data
- Unauthorized access to Personal Data
2.1 Types of Breaches
- Confidentiality Breach: Unauthorized or accidental disclosure or access to Personal Data
- Availability Breach: Accidental or unauthorized loss of access to or destruction of Personal Data
- Integrity Breach: Unauthorized or accidental alteration of Personal Data
3. Breach Assessment and Determination
3.1 Initial Assessment (Within 1 Hour)
Upon discovering a potential breach, the Incident Response Team will:
- Confirm the incident is a Personal Data breach
- Determine the nature and scope of affected data
- Assess the severity and potential impact
- Identify affected customers and data subjects
- Evaluate notification requirements under applicable laws
3.2 Notifiable Breach Criteria
A breach is notifiable when it is likely to result in a risk to the rights and freedoms of individuals, including:
- Identity theft or fraud risk
- Financial loss
- Damage to reputation
- Loss of confidentiality of Personal Data protected by professional secrecy
- Discrimination
- Any other significant economic or social disadvantage
GDPR Requirement: Any breach affecting EU/EEA residents' Personal Data that poses a risk to individuals' rights and freedoms must be reported to the supervisory authority within 72 hours of becoming aware of the breach, unless the breach is unlikely to result in risk.
4. Notification Timeline
| Notification Type |
Timeline |
Trigger |
| Internal Team |
Immediate (within 15 minutes) |
Suspected breach detected |
| Executive Leadership |
Within 1 hour |
Breach confirmed |
| Legal Counsel |
Within 2 hours |
Potential notifiable breach |
| Supervisory Authority (GDPR) |
Within 72 hours |
Breach poses risk to rights and freedoms |
| Affected Customers |
Within 72 hours |
Customer data exposure confirmed |
| Data Subjects (Direct) |
Without undue delay |
High risk to individuals' rights and freedoms |
| Other Regulators |
Per jurisdiction requirements |
As required by applicable law |
5. Notification Recipients
5.1 Supervisory Authority Notification (GDPR)
When Required: For breaches likely to result in a risk to the rights and freedoms of individuals
Timeline: Within 72 hours of becoming aware of the breach
Method: Via the supervisory authority's online reporting system or prescribed method
Required Information:
- Nature of the Personal Data breach, including categories and approximate number of affected data subjects and data records
- Name and contact details of the Data Protection Officer or other contact point
- Description of the likely consequences of the breach
- Description of measures taken or proposed to address the breach and mitigate its adverse effects
Delayed Information: If all information cannot be provided within 72 hours, the initial notification should include available information with subsequent updates provided without undue delay.
5.2 Customer Notification
When Required: When customer data is confirmed to be accessed, disclosed, or exposed
Timeline: Within 72 hours of confirming customer data exposure
Recipients: Primary account administrators of affected customer accounts
Method: Email notification to registered account email addresses
5.3 Data Subject Notification (Direct)
When Required: When the breach is likely to result in a high risk to the rights and freedoms of individuals
Timeline: Without undue delay (typically within 72 hours)
Method: Direct communication via email or other direct means when feasible
Exemptions from Direct Notification:
- Appropriate technical and organizational protection measures were applied (e.g., encryption rendering data unintelligible)
- Subsequent measures ensure high risk to rights and freedoms is no longer likely
- Direct notification would involve disproportionate effort (public communication may substitute)
5.4 Other Regulatory Notifications
Depending on jurisdiction and nature of breach, additional notifications may be required to:
- State Attorneys General (US): Per state breach notification laws
- Consumer Protection Authorities: As required by local regulations
- Credit Reporting Agencies: If breach affects financial information
- Law Enforcement: If criminal activity suspected or confirmed
6. Notification Content
6.1 Customer Notification Template
All customer breach notifications will include:
Subject Line: Important Security Notification - PlanXpress Data Incident
Notification Body:
- Introduction: Clear statement that a data breach occurred
- Date of Breach: When the breach occurred or was discovered
- Nature of Breach: What happened (unauthorized access, data exposure, system compromise, etc.)
- Data Affected: Categories of Personal Data involved (names, email addresses, business data, etc.)
- Number of Records: Approximate number of affected data subjects or records (if known)
- Risk Assessment: Likely consequences and potential impact on affected individuals
- Measures Taken: Actions PlanXpress has taken to contain and remediate the breach
- Remediation Steps: What PlanXpress is doing to prevent future incidents
- Recommended Actions: Steps customers should take to protect themselves
- Support Offered: Any assistance, monitoring services, or support provided by PlanXpress
- Contact Information: How to contact PlanXpress for questions (security@planxpress.com)
- Timeline: Key dates and incident response timeline
6.2 Data Subject Notification Template
Direct notifications to data subjects will use clear, plain language and include:
- Description of the breach in accessible terms
- Categories of Personal Data affected
- Likely consequences of the breach
- Measures taken or proposed to address the breach
- Contact details for obtaining more information
- Recommended protective measures individuals should take
7. Communication Methods
7.1 Primary Communication Channel
Email Notification: Primary method for customer and data subject notification
- Sent from security@planxpress.com
- Individual emails (not mass BCC) to maintain confidentiality
- Plain text and HTML versions provided
- Read receipts requested when possible
7.2 Alternative Communication Methods
When email notification is not feasible or insufficient:
- In-App Notification: Alert displayed upon login to affected accounts
- Website Banner: Public notice posted on https://planxpress.polsia.app
- Public Communication: Press release or public statement if disproportionate effort to contact individuals directly
- Postal Mail: Physical letters for high-risk breaches or when email addresses unavailable
8. Information Disclosure
8.1 Transparency Principles
PlanXpress is committed to transparent breach disclosure:
- Honesty: Accurate and complete information about the breach
- Clarity: Plain language explanations accessible to all affected parties
- Timeliness: Prompt notification as soon as confirmed information is available
- Accountability: Clear acknowledgment of the breach and responsibility
8.2 Information to Withhold
Certain details may be withheld from public disclosure to protect security:
- Specific technical vulnerabilities exploited (until patched)
- Detailed forensic investigation methods
- Security architecture details that could enable further attacks
- Information that would impede law enforcement investigation
9. Remediation and Support
9.1 Immediate Remediation
PlanXpress will take the following steps to address the breach:
- Contain the breach and eliminate the vulnerability
- Conduct forensic investigation to determine full scope
- Implement enhanced security controls to prevent recurrence
- Reset credentials and revoke potentially compromised access
- Monitor affected systems for anomalous activity
9.2 Customer Support
PlanXpress will provide affected customers with:
- Dedicated Support Channel: Priority support via security@planxpress.com
- Response Time: Initial response within 4 hours for breach-related inquiries
- Regular Updates: Status updates at key milestones in remediation process
- Technical Assistance: Guidance on security best practices and protective measures
- Documentation: Incident report and timeline available upon request
9.3 Data Subject Assistance
For high-risk breaches, PlanXpress may offer:
- Credit monitoring services (for financial data exposure)
- Identity theft protection (for identity-related breaches)
- Dedicated helpline for affected individuals
- Resources and guidance on protective actions
10. Documentation and Record Keeping
PlanXpress maintains comprehensive records of all breaches, including:
- Breach Register: Log of all breaches (notifiable and non-notifiable)
- Incident Documentation: Complete timeline, investigation findings, and remediation actions
- Notification Records: Copies of all notifications sent and delivery confirmations
- Communication Log: Record of all inquiries and responses related to the breach
- Regulatory Correspondence: All communications with supervisory authorities
- Post-Incident Report: Lessons learned and preventive measures implemented
11. Exceptions to Notification
Notification may not be required when:
- Personal Data was encrypted and encryption keys were not compromised
- Data was anonymized or pseudonymized without access to re-identification keys
- Subsequent actions eliminate the risk to individuals (e.g., immediate password resets)
- Breach does not pose a risk to individuals' rights and freedoms (documented assessment required)
Note: Even when customer/data subject notification is not required, internal documentation and supervisory authority notification (for GDPR) may still be mandatory.
12. Regulatory Compliance
12.1 GDPR (European Union)
- Supervisory authority notification within 72 hours (Article 33)
- Data subject notification without undue delay when high risk (Article 34)
- Documentation of all breaches in breach register
12.2 CCPA (California)
- Notification to California residents if unencrypted personal information compromised
- Notification to California Attorney General if breach affects 500+ residents
12.3 State Breach Notification Laws (US)
- Notification requirements vary by state
- Generally require notification without unreasonable delay
- Some states require notification to state regulators or credit bureaus
13. Roles and Responsibilities
- Incident Response Coordinator: Oversees breach response and notification process
- Communications Lead: Drafts and sends all breach notifications
- Legal Counsel: Ensures compliance with notification requirements and coordinates regulatory notifications
- Technical Lead: Provides technical details for breach assessment and notification content
- Executive Sponsor: Approves all external communications and notification decisions
14. Policy Review and Updates
This Breach Notification Policy is reviewed annually and updated as needed to reflect:
- Changes in applicable data protection laws
- Lessons learned from breach incidents
- Best practices in breach response and notification
- Feedback from customers and regulatory authorities
15. Contact Information
Report a Security Incident: security@planxpress.com
Data Protection Inquiries: privacy@planxpress.com
General Support: support@planxpress.com
Emergency Response: Available 24/7 via security@planxpress.com
Questions about breach notification?
Contact us at security@planxpress.com