Data breach notification policy
This policy defines what qualifies as a breach of user data, what actions will be taken in the event of user data exposure or compromise, and the timeline for action.
This policy applies to user data stored on Ethicontrol.com. It does not apply to self-hosted / on-premises EthiBox instances or instances hosted with other providers than Ethicontrol.com.
Data Classification — What information is covered by this policy
This policy covers "private user data" stored by Ethicontrol.com, and includes:
- Client's database
- Client's files
- Encrypted Passwords
- Private Email Addresses
Note: Ethicontrol.com does not store any "personally identifiable information" (PII) such as (i) Private Addresses, (ii) Credit Card Numbers, (iii) Bank Account Information, (iv) ID numbers (e.g. passport, driver's license, social security, national identification, etc.). Ethicontrol.com also does not store any "personal health information" (PHI). Therefore, laws and regulations relating to PII and PHI do not apply.
What qualifies as a breach
A breach of user data is the unintended or accidental exposure of private user data. This can be caused by accidents, misconfigurations, or malicious actions performed by an external attacker or team member.
An event is considered a data breach when there is evidence that private user data has been exposed to the public or to an untrusted third party.
Trusted third parties may have authorized access to user data under a signed Non-Disclosure Agreement (NDA). Such trusted third parties include but are not limited to:
- Cloud service providers
- Database consultants
- Security auditors
- Financial auditors
Some examples of a user data breach would include:
- Compromise of a database server that contains private user data with evidence that an attacker may have had access to or copied the data off-site.
- Compromise of an application server account that has access to private user data and evidence that the attacker has downloaded or accessed private data.
- Theft of a device known to contain private user data.
- Web application attack used to download a list of all user emails and encrypted passwords.
What is not considered a breach
Examples of security incidents that would not be considered a breach of private user data:
- Compromise of an application server that does not contain or have access to private user data.
- Compromise of a team member application account that does not have access to private user data.
- Malware infection on a server or team member computer system that does not contain private user data.
- Compromise of non-sensitive user data such as login IP addresses, login history, project permissions.
- Unintentional disclosure of project names, group names, issue titles, or project or user metadata unless this data can cause damage to the user or their business.
- Discovery of a vulnerability that could have been used to compromise private data, but for which there is no evidence of exploitation.
- Theft of a team member's mobile device that does not contain private user data.
- Theft of a team member's private keys, tokens, or other credentials provided there is no evidence they were used to access private user data.
Who will be notified in the event of a data breach
If Ethicontrol has detected evidence of a breach of Ethicontrol.com private user data, all affected users will be notified via the configured email address for their accounts. Emails will contain information on what data was exposed or compromised, when, and for how long (to the extent this information is available).
For a breach that exposes private data for a large number of users, the public will also be informed via the configured email addresses for their accounts, and additional means of communication will be considered (e.g. press release, the blog, etc.) on a case by case basis.
Ethicontrol will endeavor to notify users within 24 hours of breach discovery. This may be delayed when necessary to comply with requests by law enforcement.