Cloudstream Software Solutions

Data Breach Policy

Introduction

Cloudstream is committed to safeguarding personal data and preventing breaches that could affect the rights and freedoms of individuals. This policy outlines the steps Cloudstream will take in the event of a data breach involving personal data, ensuring compliance with the General Data Protection Regulation (GDPR) and other applicable laws.

Scope of the Policy

This policy applies to all data breaches, including but not limited to:

  • Unauthorized access, disclosure, or destruction of personal data.
  • Accidental loss or alteration of personal data.
  • Any security incidents that compromise the confidentiality, integrity, or availability of personal data.

This policy covers data breaches involving all data processed by Cloudstream, including data collected through software services, customer interactions, and data received from third-party APIs.

Definition of a Data Breach

A personal data breach under the GDPR is defined as a security incident that leads to:

  • Unauthorized access to personal data.
  • Unlawful processing of personal data.
  • Accidental or unlawful loss, destruction, or alteration of personal data.

Roles and Responsibilities

  • Data Controller (Cloudstream’s Customers): The customers of Cloudstream are the Data Controllers. They determine the purposes and means of processing personal data and provide instructions to Cloudstream as the Data Processor. The Data Controller is responsible for ensuring the lawful basis for processing, obtaining any necessary consents from data subjects, and fulfilling data subject rights.
  • Data Processor (Cloudstream): Cloudstream is the Data Processor and is responsible for processing personal data on behalf of its customers in accordance with their instructions. Cloudstream will ensure compliance with the Data Processing Agreement (DPA) and take all necessary measures to safeguard personal data. Cloudstream must notify the Data Controller of any data breach and assist with the Controller’s data protection obligations.
  • Authorized Sub-processors (e.g., AWS): Sub-processors engaged by Cloudstream (such as AWS) will process data on Cloudstream’s behalf and must comply with the terms of the DPA. Sub-processors must notify Cloudstream of any data breach affecting personal data and assist in the breach management process.

Data Breach Response Process

Cloudstream employs robust security measures to protect personal data from unauthorized access, loss, or breach:

Step 1: Identifying and Reporting a Breach
Any data breach or potential security incident must be identified and reported immediately by Cloudstream or any contractor who becomes aware of it.

  • Contractors and sub-processors must notify Cloudstream immediately if they suspect or identify any personal data breach.
  • Upon identifying the breach, Cloudstream must record the details and initiate appropriate actions to contain and manage the breach.

Step 2: Assessing the Breach
Cloudstream will assess the breach to determine its impact by considering:

  • The type of personal data involved.
  • The extent and scope of the breach (e.g., how much data was affected).
  • The potential consequences for the individuals whose data was involved.

If the breach is likely to result in a risk to the rights and freedoms of individuals, Cloudstream will notify the Data Controller (i.e., customers) and assist them with their responsibilities under GDPR.

Step 3: Containing and Mitigating the Breach
Once the breach is identified:

  • Cloudstream will take immediate steps to contain the breach, such as restricting access to systems, resetting credentials, or isolating affected systems.
  • Engage with any sub-processors (e.g., AWS) to secure compromised data and prevent further unauthorized access.

Further technical measures, such as encrypting or securely deleting compromised data, will be taken to minimize damage.

Notification Procedures

To the Data Controller

As Cloudstream operates as a Data Processor, Cloudstream’s responsibility is to notify the Data Controller (i.e., customers) without undue delay if a breach occurs that could impact personal data.

Notifications to the Data Controller should include:

  • The nature of the breach.
  • The types of personal data affected.
  • The likely consequences of the breach.
  • Steps taken to mitigate the breach and reduce its impact.

To the Supervisory Authority (by the Data Controller)

The responsibility for notifying the supervisory authority (ICO) lies with the Data Controller, not the Data Processor (Cloudstream). However, Cloudstream must cooperate fully with the Data Controller to ensure that they can meet their regulatory obligations.

If the Data Controller determines that the breach poses a risk to individuals, they are required to notify the ICO within 72 hours of becoming aware of the breach. Cloudstream must provide any information and support needed for this notification.

Documenting the Breach

All data breaches that occur in Cloudstream’s systems, regardless of severity, must be documented in a Data Breach Register that includes:

  • The nature of the breach.
  • The date and time of discovery.
  • Steps taken to contain and mitigate the breach.
  • Notifications made (to the Data Controller, individuals, etc.).
  • Corrective actions implemented to prevent future breaches.

This record must be made available to the Data Controller and, if requested, to the ICO.

Preventive Measures and Security Controls

To reduce the risk of future breaches, Cloudstream implements the following measures:

  • Data Encryption: Personal data is encrypted both at rest and in transit using industry-standard encryption protocols.
  • Access Controls: Role-based access, two-factor authentication (2FA), and strong password requirements are enforced for all systems.
  • Regular Audits: Cloudstream will conduct regular internal audits of security policies and system access logs.
  • Training and Awareness: Cloudstream employees are required to undergo GDPR awareness training and follow Cloudstream’s security protocols.
  • Incident Response Plan: A structured plan is in place to ensure rapid containment and management of security incidents.

Review and Updates

This Data Breach Policy is reviewed annually or upon significant changes in Cloudstream’s operations, business activities, or data processing arrangements. The policy may also be updated in response to any data breaches or lessons learned from security incidents.

Contact Information

For any questions regarding this policy, data breach procedures, or GDPR compliance, please contact:

Cloudstream Ltd
Suite 306, 4 Blenheim Court
Peppercorn Close
Peterborough PE1 2DU
Email: [email protected]
Tel.: 0333 050 7546

 

This website uses cookies