Breach Notification Policy

Policy Overview

This Breach Notification Policy outlines Tendral Health's procedures for identifying, responding to, and communicating security incidents that may affect the confidentiality, integrity, or availability of personal data or our platform services.

Incident Classification

We classify security incidents based on their severity and potential impact:

Level 1 - Critical

• Unauthorized access to personal data
• Data theft or exfiltration
• Complete system compromise
• Ransomware or malware infection
• Exposure of authentication credentials

Level 2 - High

• Attempted unauthorized access
• System vulnerabilities with high risk
• Data integrity issues
• Service disruption affecting multiple users
• Suspicious network activity

Level 3 - Medium

• Minor security policy violations
• Low-risk vulnerabilities
• Failed login attempts
• Minor system misconfigurations
• Phishing attempts targeting our domain

Detection and Response Timeline

Immediate Response (0-1 Hour)

• Detection: Automated monitoring systems alert security team
• Assessment: Initial incident evaluation and classification
• Containment: Immediate steps to prevent further damage
• Escalation: Notify incident response team and management

Short-term Response (1-24 Hours)

• Investigation: Detailed analysis of the incident scope
• Mitigation: Implement measures to address the incident
• Evidence Collection: Preserve logs and forensic evidence
• Communication Planning: Prepare notification strategies

Medium-term Response (1-3 Days)

• Full Assessment: Complete impact analysis
• Remediation: Fix vulnerabilities and restore services
• Stakeholder Notification: Notify affected parties
• Regulatory Reporting: Submit required notifications to authorities

Notification Requirements

Internal Notifications

Security Team: Immediate notification upon detection

Executive Team: Within 2 hours for Level 1 incidents

Legal Team: Within 4 hours for incidents involving personal data

All Staff: As needed based on incident scope

External Notifications

Regulatory Authorities:

• State and federal data protection authorities: Within 72 hours
• Law enforcement: Immediately for criminal activity
• Industry regulators: As required by specific regulations

Affected Individuals:

• High-risk breaches: Within 72 hours
• Medium-risk breaches: Within 30 days
• Method: Email, platform notification, or postal mail

Business Partners:

• Subprocessors and vendors: Within 24 hours if their data is affected
• Enterprise clients: Within 24 hours for any data breach
• Insurance providers: Within 48 hours

Notification Content

Our breach notifications will include:

• Incident Description: What happened and when it was discovered
• Data Involved: Types of personal data affected
• Scope: Number of affected individuals and records
• Response Actions: Steps taken to address the incident
• Risk Assessment: Potential harm to affected individuals
• Protective Measures: Recommendations for affected parties
• Contact Information: How to get more information or assistance

Communication Channels

Primary Channels

• Email: Direct notification to affected users
• Platform Alerts: In-app notifications for active users
• Website Banner: Prominent notice on our website
• Security Page: Detailed information on our security page

Secondary Channels

• Postal Mail: For users without email access
• Phone Calls: For high-severity incidents
• Media Relations: For incidents with public interest
• Social Media: For widespread awareness campaigns

Special Considerations

Healthcare Data

While we do not process PHI, any incident involving healthcare professional credentials or healthcare-related survey data will trigger enhanced notification procedures and additional regulatory reporting requirements.

International Users

For users in the EU, we comply with GDPR notification requirements. For users in other jurisdictions, we follow applicable local data protection laws.

Third-Party Incidents

If a security incident occurs at one of our subprocessors that affects our users' data, we will coordinate with the subprocessor to ensure proper notification and response.

Post-Incident Activities

Investigation Report

• Detailed incident analysis within 30 days
• Root cause analysis and lessons learned
• Recommendations for prevention
• Timeline of events and response actions

Remediation and Prevention

• Implement security improvements
• Update policies and procedures
• Enhance monitoring and detection capabilities
• Conduct additional security training

Follow-up Communication

• Updates to affected parties as investigation progresses
• Final incident report to regulatory authorities
• Public summary of incident and improvements made
• Annual security report including incident statistics

Roles and Responsibilities

Security Team

• Incident detection and initial response
• Technical investigation and forensics
• Security remediation and improvements

Legal Team

• Regulatory compliance and notifications
• Communication review and approval
• Coordination with law enforcement

Communications Team

• User communication and notifications
• Media relations and public statements
• Internal communication coordination

Contact Information

For questions about this policy or to report a security incident:

• Email: security@tendralhealth.com
• Postal Address: Tendral Health LLC, Security Team, 14080 Lone Bear Rd, Bozeman, MT 59715

Policy Updates

This policy is reviewed annually and updated as needed to reflect changes in technology, regulations, and best practices. The last update was made on 11/26/2025.