1. General Provisions
1.1. This Security and Incident Response Policy (hereinafter – the “Policy”) defines the approaches of the Limited Liability Company Whimscope (hereinafter – the “Company”, “We”, “Us” or “Our”) to ensuring information security, protecting Users’ personal data, as well as the procedures for detecting, handling, and responding to security incidents, including personal data breaches, in the course of the operation of the Whimscope application (hereinafter – the “Application”).
1.2. The purpose of this Policy is to:
- ensure an appropriate level of information and personal data protection;
- minimize the risks of unauthorized access, loss, alteration, or disclosure of data;
- establish a transparent and consistent procedure for responding to security incidents;
- ensure compliance with applicable data protection legislation.
1.3. This Policy applies to all information processing activities carried out by the Company in connection with the operation of the Application, including the processing of Users’ personal data, interaction with service providers, as well as the use of technical infrastructure necessary for the operation of the Application.
1.4. This Policy applies to all Users of the Application, as well as to other individuals whose data may be processed in connection with the use of the Application, to the extent provided by applicable law.
1.5. This Policy shall be interpreted in conjunction with other Company documents, including:
1.6. In the event of any conflict between this Policy and other Company documents, the document specifically governing the relevant legal relationship shall prevail, unless expressly stated otherwise.
1.7. This Policy does not establish contractual guarantees or obligations regarding the continuous or error-free operation of the Application and does not modify the scope of limitation of liability set forth in the Terms of Use.
2. Definitions
For the purposes of this Policy, unless the context requires otherwise, the terms below shall have the following meanings:
- - Personal Data — any information relating to an identified or identifiable natural person, as defined in the Privacy Policy;
- - User (You) — any individual who gains access to the Application by creating an account and uses its functionality;
- - Company — Whimscope, LLC, acting as the data controller and determining the purposes and means of processing personal data;
- - Application — the Whimscope software providing Users with access to its relevant functionality;
- - Service Provider — any natural or legal person that processes data on behalf of the Company or supports the operation of the Application (including cloud services, analytics tools, technical infrastructure, etc.);
- - Security Incident — any event or series of events that may lead to or has led to a breach of confidentiality, integrity, or availability of information processed by the Company;
- - Personal Data Breach — a security incident resulting in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data;
- - Data Processing — any operation or set of operations performed on personal data, including collection, storage, use, transfer, deletion, or other actions, as defined in the Privacy Policy;
- - System / Infrastructure — technical and software resources, servers, databases, networks, as well as integrated third-party services used to ensure the operation of the Application;
- - Vulnerability — a weakness or flaw in the System or Infrastructure that may be exploited to compromise security;
- - Anonymized Data — information that does not allow the direct or indirect identification of a User.
3. Security Principles
3.1. The Company implements a set of technical and organizational measures aimed at ensuring an appropriate level of protection of information and personal data processed in connection with the operation of the Application.
3.2. Data processing is carried out in accordance with the principle of data minimization, meaning that only data necessary for providing the Application’s functionality and fulfilling the Company’s obligations is collected and used.
3.3. Access to information is granted exclusively to authorized persons to the extent necessary for the performance of their duties, using appropriate access control mechanisms.
3.4. The Company takes measures to protect data against unauthorized access, loss, alteration, or disclosure, including through the use of modern technical solutions and security practices.
3.5. Information security is considered at all stages of the development, implementation, and operation of the Application (the “security by design” and “security by default” principles).
3.6. The Company regularly reviews and updates its security measures in light of technological developments, changing risks, and the nature of data processing.
3.7. In its interactions with Service Providers, the Company seeks to ensure an appropriate level of data protection by selecting reliable partners and establishing contractual obligations regarding information security.
3.8. The security measures applied by the Company are proportionate to the nature of the data being processed, the scope of processing, and the potential risks to the rights and freedoms of Users.
3.9. Despite the implemented security measures, the Company cannot guarantee absolute protection of information against all possible threats.
4. Categories of Security Incidents
4.1. In order to ensure proper response and risk management, the Company classifies security incidents depending on their nature, source, and potential impact on information, personal data, and the operation of the Application.
4.2. Security incidents include, in particular:
4.2.1. Unauthorized Access
Access to Accounts, Systems, or data without proper authorization, including as a result of compromised credentials or technical vulnerabilities.
4.2.2. Breach of Data Confidentiality
Disclosure or transfer of information, including personal data, to third parties without a lawful basis or in violation of established access rules.
4.2.3. Data Loss or Destruction
Partial or complete loss of information, including personal data or Content, due to technical failures, human error, or other circumstances.
4.2.4. Data Integrity Breach
Unauthorized modification, alteration, or damage of information that may affect its accuracy or reliability.
4.2.5. Availability Disruption
Situations in which the Application or its individual functions become unavailable due to technical attacks, overload, failures, or other events.
4.2.6. Exploitation of Vulnerabilities
Exploitation of weaknesses or flaws in the System or Infrastructure that may lead to a security breach.
4.2.7. Incidents Involving Service Providers
Security breaches or other incidents occurring on the side of third parties that process data or support the operation of the Application.
4.3. Depending on the circumstances, a single incident may fall under multiple categories simultaneously.
4.4. The Company assesses each incident individually, taking into account the nature of the event, the type of data that may have been affected, and the potential impact on Users.
5. Detection of Security Incidents
5.1. The Company implements a set of measures aimed at the timely detection of security incidents in order to minimize their potential consequences and ensure an appropriate response.
5.2. Security incidents may be detected through the following sources:
5.2.1. Automated Monitoring
The Company uses technical monitoring tools for the System and Infrastructure to detect suspicious activity, technical failures, unauthorized access attempts, or other anomalies.
5.2.2. Anomaly Analysis
Detection of deviations from the standard behavior of the Application or Users that may indicate potential security incidents.
5.2.3. User Reports
Users may report possible security breaches, suspicious activity, or other issues through available communication channels with the Company.
5.2.4. Information from Service Providers
The Company may receive notifications about security incidents or potential risks from Service Providers that support the operation of the Application.
5.2.5. Internal Checks and Audits
Regular review of System performance, event logs, technical indicators, and other data to identify potential incidents.
5.3. The Company strives to ensure timely identification of security incidents and their initial assessment in order to determine further actions.
5.4. Upon detection of a potential security incident, the Company initiates the response procedures provided for in this Policy.
6. Security Incident Response
6.1. In the event of detection of or receipt of information about a potential security incident, the Company shall promptly take measures to assess, contain, and minimize its possible consequences.
6.2. Security incident response is carried out in stages, taking into account the nature of the incident, the volume of data that may be affected, and the level of potential risk to Users.
6.3. Initial Assessment of the IncidentThe Company performs an initial analysis of the incident in order to:
- determine the nature of the event;
- identify the potential source of the incident;
- preliminarily assess the scale and possible consequences.
6.4. Incident Containment
In order to limit the spread of the incident, the Company may:
- temporarily restrict access to certain Application features;
- isolate affected parts of the System or Infrastructure;
- implement other technical or organizational measures.
6.5. Access Restriction and Prevention of Further ViolationsThe Company may:
- temporarily suspend or restrict access to user accounts;
- modify or revoke access rights;
- apply additional security measures to prevent further violations.
6.6. Incident Recording and Documentation
The Company maintains internal records of the incident, including:
- circumstances of detection;
- nature of the incident;
- response measures taken;
- results of the initial assessment.
6.7. Interaction with Service Providers
If the incident is related to the activities of Service Providers, the Company cooperates with such parties in order to:
- obtain necessary information;
- coordinate actions to resolve the incident;
- minimize its consequences.
6.8. The Company takes reasonable and proportionate measures to mitigate the consequences of the incident and restore normal operation of the Application as soon as possible.
6.9. Further actions regarding the assessment of the incident’s impact and, where necessary, notification of Users or competent authorities shall be carried out in accordance with the provisions of this Policy.
6.10. Specific response measures are determined by the Company at its sole discretion, taking into account the nature of the incident, technical capabilities, and applicable legal requirements.
7. Incident Impact Assessment
7.1. Following the containment of a security incident, the Company shall assess its potential and actual impact on Users, personal data, and the operation of the Application.
7.2. The impact assessment is conducted in order to determine:
- the necessity of notifying Users;
- the necessity of notifying competent authorities;
- further measures to eliminate the consequences of the incident.
7.3. During the assessment of an incident, the Company takes into account, in particular:
7.3.1. Type of Data Affected
It is determined whether the incident involved personal data, User Content, or technical information.
7.3.2. Scope of the Incident
The number of Users or the volume of data that may have been affected.
7.3.3. Nature of the Breach
Whether there was unauthorized access, disclosure, alteration, loss, or other security breach.
7.3.4. Likelihood and Level of Risk
An assessment of whether the incident may create risks to the rights and freedoms of Users, including the possibility of fraud, misuse, or other adverse consequences.
7.3.5. Duration of the Incident
The period during which the incident occurred or may have affected data or the operation of the Application.
7.4. Based on the results of the impact assessment, the Company determines further actions, including the necessity of notifications in accordance with Section 8 of this Policy.
7.5. The impact assessment is carried out in accordance with the principle of proportionality and based on the information available at the time of the assessment.
8. Notification of Breaches
8.1. If a security incident results in a Personal Data Breach (Data Breach), the Company shall assess the necessity of notifying Users and/or competent authorities in accordance with applicable law.
8.2. Notification of Competent Authorities
Where required by applicable law, in particular where the personal data breach is likely to result in a risk to the rights and freedoms of natural persons, the Company shall notify the relevant authorities within the prescribed time limits, including those provided for under applicable regulations (e.g., within 72 hours under GDPR requirements, where applicable).
8.3. Notification of Users
The Company shall notify Users of a personal data breach where such an incident is likely to result in a high risk to their rights and freedoms.
8.4. User notifications may be carried out through:
- email;
- in-app notifications;
- other available communication channels.
8.5. Content of the Notification
Where notification is required, the Company shall provide Users, to the extent of available information, with:
- a description of the nature of the incident;
- categories of data that may have been affected;
- potential consequences of the incident;
- measures taken by the Company to address or mitigate the impact;
- recommendations for actions Users may take to protect their data (if applicable);
- contact information for further inquiries.
8.6. The Company may refrain from notifying Users in cases where:
- the incident does not pose a risk to the rights and freedoms of Users;
- appropriate technical and organizational measures have been implemented that render the data unusable by third parties;
- notification would require disproportionate effort, in which case a public notice or other alternative means of communication may be used.
8.7. The Company shall provide notification without undue delay, taking into account the need to:
- complete the initial assessment of the incident;
- ensure the accuracy of the information;
- prevent additional security risks.
8.8. Where necessary, the Company may provide further updates regarding the incident following the initial notification.
8.9. Security incident notifications are provided for informational purposes only and do not constitute an acknowledgement of liability by the Company.
9. Interaction with Service Providers
9.1. The Company may engage Service Providers to ensure the operation of the Application, including but not limited to cloud infrastructure, analytics services, communication services, and other technical solutions.
9.2. Within such cooperation, Service Providers may have access to information, including personal data, solely to the extent necessary to perform their functions on behalf of the Company.
9.3. The Company takes reasonable measures to select reliable Service Providers that ensure an appropriate level of information security and comply with relevant security standards.
9.4. Relationships with Service Providers that process personal data are governed by relevant agreements, which may include:
- restrictions on the purposes of data processing;
- confidentiality obligations;
- requirements for the implementation of technical and organizational security measures;
- procedures for responding to security incidents;
- an obligation to notify the Company of incidents that may affect the data.
9.5. In the event of a security incident involving a Service Provider, the Company shall:
- cooperate with such Service Provider to determine the circumstances of the incident;
- coordinate actions to contain and resolve the incident;
- assess the impact of the incident in accordance with Section 7 of this Policy;
- where necessary, provide notifications in accordance with Section 8.
9.6. The Company seeks to limit the transfer of data to Service Providers to the minimum necessary scope and applies appropriate access control measures.
9.7. In cases of international data transfers through Service Providers, the Company takes measures to ensure an adequate level of information protection in accordance with applicable law.
10. Prevention of Security Incidents
10.1. The Company implements preventive technical and organizational measures aimed at reducing the risk of security incidents and protecting information processed in connection with the operation of the Application.
10.2. Such measures include, but are not limited to:
10.2.1. Access Control
Restricting access to the System, Infrastructure, and data to authorized persons only, in accordance with their roles and functions.
10.2.2. Authentication and Account Security
Implementation of account protection mechanisms, including password complexity requirements, access management, and other security measures.
10.2.3. Monitoring and Logging
Maintenance of event logs and monitoring of activity for the purpose of timely detection of potential threats or anomalies.
10.2.4. System Updates and Maintenance
Regular updating of software, libraries, and Infrastructure components to eliminate known vulnerabilities.
10.2.5. Security Testing and Review
Periodic testing of the System for vulnerabilities, as well as implementation of internal security review procedures.
10.2.6. Data Protection
Use of technical measures to protect data during transmission and, where possible, during storage.
10.2.7. Third-Party Service Access Management
Control of integrations with Service Providers and restriction of data access in accordance with the principle of data minimization.
10.2.8. Organizational Measures
Implementation of internal policies, procedures, and practices aimed at ensuring information security.
10.3. The Company periodically reviews and improves its security measures in light of technological developments, changes in the Application’s functionality, and emerging threats.
10.4. Preventive measures are applied in accordance with the principle of proportionality and a risk-based approach.
10.5. Users are also responsible for complying with basic security measures, including the protection of their account credentials and devices.
11. Post-Incident Review
11.1. Following resolution of a security incident, the Company shall analyze the circumstances of its occurrence in order to prevent similar incidents in the future.
11.2. Such analysis may include:
- identification of the causes of the incident (including technical or organizational causes);
- assessment of the effectiveness of the response measures taken;
- identification of potential weaknesses in the System, Infrastructure, or internal processes.
11.3. Based on the results of the analysis, the Company may:
- improve technical and organizational security measures;
- update internal incident response procedures;
- implement additional control or monitoring mechanisms;
- take other measures aimed at enhancing the level of security.
11.4. Where necessary, the Company may conduct an additional assessment of risks related to data processing and adjust its data protection approach accordingly.
11.5. The Company may use aggregated results of incident analysis to improve the functionality of the Application and enhance security, without disclosing information that would allow Users to be identified.
12. Vulnerability Disclosure
12.1. The Company encourages the responsible reporting of potential vulnerabilities in the Application, System, or Infrastructure that may affect data security or the operation of the service.
12.2. If any person identifies a potential vulnerability, they are encouraged to report it to the Company through the official communication channels specified in this Policy or on the official resources of the Application.
12.3. When reporting a vulnerability, the Company requests that you:
- do not access data that does not belong to you without authorization;
- do not modify, delete, or disclose any third-party information;
- do not use the vulnerability to gain access to data or services;
- limit testing strictly to the extent necessary to confirm the existence of the issue.
12.4. The Company undertakes to:
- review vulnerability reports within a reasonable period of time;
- conduct an internal investigation where necessary;
- take measures to remediate confirmed vulnerabilities;
- where possible, inform the reporter about the status of the issue resolution.
12.5. The Company may decline to review reports that:
- contain inaccurate or unverified information;
- relate to social engineering without a technical component;
- are intended to cause harm to Users or the Company.
12.6. The Company does not provide rewards for vulnerability reports, unless otherwise explicitly provided for under a separate program or applicable terms.
12.7. Vulnerability reports are handled in accordance with principles of confidentiality and information security.
12.8. A vulnerability report does not create any legal relationship between the reporter and the Company unless explicitly agreed otherwise.