π¨ Report a Security Incident
If you have discovered or suspect a security breach, data leak, or vulnerability, please contact us immediately:
Email: security@fulldeal.ai
Subject Line: [URGENT] Security Incident Report
For critical issues requiring immediate attention, mark the email as high priority. We monitor this inbox 24/7.
1. Overview
FullDeal AI is committed to protecting your personal data and maintaining the security of our systems. This document outlines our data breach notification process in compliance with the General Data Protection Regulation (GDPR) Articles 33 and 34.
Definition: A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.
2. Our Incident Response Process
Phase 1: Detection & Containment (0-4 hours)
- Immediate assessment of the incident
- Containment measures to prevent further data exposure
- Preservation of evidence for investigation
- Activation of incident response team
- Initial severity assessment
Phase 2: Investigation & Assessment (4-24 hours)
- Detailed forensic analysis
- Identification of affected data and users
- Risk assessment: likelihood and severity of impact on data subjects
- Documentation of all findings
- Determination of notification requirements
Phase 3: Notification (24-72 hours)
- Supervisory Authority: Notification within 72 hours of becoming aware of the breach (GDPR Article 33)
- Affected Users: Notification without undue delay if high risk to rights and freedoms (GDPR Article 34)
- Internal stakeholder notification
- Sub-processor notification (if applicable)
Phase 4: Remediation & Prevention (Ongoing)
- Implementation of corrective measures
- Security enhancements to prevent recurrence
- User support and assistance
- Post-incident review and documentation
- Update of security policies and procedures
3. Notification to Supervisory Authority (Article 33)
When required, we will notify the relevant supervisory authority within 72 hours of becoming aware of a personal data breach. The notification will include:
- Nature of the breach (categories and approximate number of data subjects and records)
- Name and contact details of our data protection officer or contact point
- Description of likely consequences of the breach
- Description of measures taken or proposed to address the breach and mitigate harm
Relevant Supervisory Authorities:
4. Notification to Affected Users (Article 34)
We will notify affected users without undue delay when a breach is likely to result in a high risk to their rights and freedoms. User notifications will be:
- Clear and plain language: Easy to understand, avoiding technical jargon
- Specific: Describing the nature of the breach and data affected
- Actionable: Including recommended steps to protect yourself
- Direct: Via email to your registered address
What to expect in a breach notification:
- Description of what happened and when we detected it
- What types of data were affected
- Potential consequences and risks
- Steps we've taken to address the breach
- Recommended actions you should take (e.g., change password, monitor accounts)
- Contact information for questions and support
- Your rights under GDPR
5. Exceptions to User Notification
User notification may not be required if:
- Encryption: The data was encrypted and the encryption keys were not compromised
- Subsequent Measures: We took measures that ensure the high risk is no longer likely to materialize
- Disproportionate Effort: Notification would require disproportionate effort (in which case we will use public communication or similar measure)
Note: We will always notify the supervisory authority, even if we do not notify affected users.
6. Breach Documentation
We maintain comprehensive records of all data breaches, including:
- Facts relating to the breach
- Effects and consequences
- Remedial actions taken
- Timeline of detection, investigation, and response
- Communication records (authorities and users)
These records are maintained to demonstrate compliance with GDPR requirements and are available for review by supervisory authorities.
7. Prevention Measures
To minimize the risk of data breaches, we implement:
π Technical Safeguards
- Encryption in transit (TLS/HTTPS) and at rest (AES-256 for files)
- AES-256-GCM encryption with 96-bit IV for OAuth tokens
- bcrypt password hashing (cost factor 12)
- CSRF protection with constant-time comparison
- Rate limiting (Upstash Redis, sliding window)
- Comprehensive security headers (CSP, HSTS, X-Frame-Options)
- Input validation and SQL injection prevention
- RBAC with permission-based authentication
- Security monitoring and logging
- Regular security audits
π₯ Organizational Safeguards
- Security awareness training
- Incident response plan
- Access management policies
- Regular policy reviews
- Third-party security assessments
- Data minimization practices
8. How to Report a Security Issue
We encourage responsible disclosure of security vulnerabilities. If you discover a security issue, please:
Reporting Guidelines:
- DO NOT exploit the vulnerability beyond what is necessary to demonstrate it
- DO NOT access, modify, or delete other users' data
- DO provide detailed steps to reproduce the issue
- DO allow us reasonable time to address the issue before public disclosure
- DO email us at security@fulldeal.ai with full details
What to include in your report:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Any relevant screenshots or proof-of-concept
- Your contact information (for follow-up)
We will acknowledge your report within 24 hours and provide updates on remediation progress.
9. Your Rights Following a Breach
If you are affected by a data breach, you have the right to:
- Information: Receive clear information about the breach and its impact
- Support: Access to assistance and support services
- Complaint: Lodge a complaint with a supervisory authority
- Compensation: Seek compensation for damages (material or non-material)
- Access: Request access to your data and breach records
- Deletion: Request deletion of your account and data