Data Breach Response Policy
Last Updated: July 28, 2025
This Data Breach Response Policy outlines how Consentmo (iSenseLabs dba as Consentmo) detects, responds to, and communicates about potential or confirmed data breaches. It ensures that we take swift, effective, and transparent action to protect personal data, fulfill legal obligations, and maintain trust with merchants and their customers.
Purpose
Consentmo is committed to protecting the personal data processed through our services. This policy defines our approach to identifying, managing, and responding to data breaches involving personal or sensitive data collected through the Consentmo app or website.
It applies to all personnel, systems, and third-party services involved in the handling of personal data. Our goal is to mitigate risks, preserve data integrity, and ensure compliance with applicable data protection laws, including GDPR, CCPA, and other global regulations.
What Is a Data Breach?
A data breach refers to any confirmed or suspected incident where personal data is:
- Lost or stolen
- Accessed or disclosed without authorization
- Altered or destroyed unlawfully
This includes both accidental and deliberate actions, whether caused internally or by external actors.
How We Detect and Report Breaches
Internal Detection
Our systems and personnel continuously monitor for anomalies or signs of unauthorized data access. If a Consentmo employee, contractor, or partner suspects a data breach, they must immediately report it via:
- Email: security@consentmo.com
- Internal Ticketing System or Help Desk: Accessible to all team members
Reports are reviewed promptly by our Information Security Administrator and incident response team.
Merchant or External Reporting
If you are a merchant using the Consentmo app and suspect a breach involving your store’s data, please notify us immediately at security@consentmo.com. We will investigate and provide a formal response within a reasonable timeframe.
Breach Response Process
Our response process follows a structured 6-step methodology based on the SANS Incident Handler’s Handbook:
1. Preparation
- Regular risk assessments and breach simulations
- Clear roles and responsibilities for incident handling
- Ongoing employee training and readiness checks
2. Identification
- Confirm the incident and classify the type of breach
- Log details, assess scope and severity, and document findings
3. Containment
- Isolate affected systems to prevent further exposure
- Apply short- and long-term containment measures
4. Eradication
- Remove malicious files or unauthorized access points
- Identify root cause and take preventive measures
5. Recovery
- Restore affected systems and verify their integrity
- Resume normal operations with heightened monitoring
6. Lessons Learned
- Conduct a full review within 2 weeks of resolution
- Update documentation, processes, and employee training
- Share relevant findings with affected parties (if appropriate)
Roles and Responsibilities
To ensure a coordinated response, we engage an internal Incident Response Team (IRT) chaired by executive management. The team may include representatives from:
- IT Infrastructure & Engineering
- Product and Application Security
- Legal & Compliance
- Communications & Public Relations
- Human Resources and Support Operations
Additional specialists (e.g., external forensic investigators or insurance providers) may be involved based on breach severity.
Information Security Administrator
This designated individual oversees incident coordination, reporting, documentation, and resolution, and liaises with relevant stakeholders.
Users and Staff
All Consentmo personnel are responsible for promptly reporting any suspicious activity. They are also required to follow security protocols to prevent data exposure.
Notifying Affected Parties
If a breach is likely to result in a risk to the rights and freedoms of individuals, we will notify:
- Affected merchants or users (as soon as reasonably possible)
- Supervisory authorities (within the legally mandated timeframe, e.g., 72 hours for GDPR-covered data)
Our communications will include:
- The nature and scope of the breach
- The types of personal data involved
- Steps we are taking to mitigate the damage
- Guidance for affected individuals (e.g., password resets, data review)
All breach notifications will be clear, accurate, and timely.
Working with Forensic Investigators and Insurers
In cases of confirmed or high-risk incidents, we will engage professional forensic teams (as provided through our cybersecurity insurance) to analyze:
- How the breach occurred
- Which systems and data were involved
- The number of users affected
- Any vulnerabilities exploited
This analysis informs our remediation and legal obligations.
Security Enforcement
Employees who violate this policy or who fail to follow proper breach reporting protocols may be subject to disciplinary action, up to and including termination. Third-party vendors in breach of contract may have their access revoked.
Data Security and Prevention
We aim to prevent breaches through:
- Secure encryption of data in transit and at rest
- Access controls and audit logs
- Continuous system monitoring and vulnerability patching
- Regular security awareness training
These measures are aligned with our broader security and privacy policies.
Definitions
For clarity, the following terms are used:
- PII (Personally Identifiable Information): Any data that can identify a person (e.g., name, email, IP address)
- Sensitive Data: Any PII or data classified as Protected Health Information (PHI)
- Data Breach: Unauthorized access, disclosure, or loss of personal or sensitive data
- Encryption: The process of converting data into a secure format to prevent unauthorized access
Questions or Reporting
If you have questions about this policy or need to report a potential data breach, please contact us:
Email: security@consentmo.com
Address: Prof. Georgi Bradistilov Str. No.4, 1700 Sofia, Bulgaria
EU Registration Number: 112660079
%20-%20Copy-p-500.webp)
.webp)
%20-%20Copy.png)
.svg)