Veri-Tech

Breach Notification Policy

Effective Date: May 8, 2026 · Last Updated: May 8, 2026 · Version 1.0

1. Purpose

This policy describes when, how, and what Veri-Tech communicates to Customers and other stakeholders following a security incident involving Customer Data, Protected Health Information, or other regulated data. It consolidates Veri-Tech's notification commitments under HIPAA, GDPR, U.S. state breach notification statutes, and the Veri-Tech contractual framework into a single reference for procurement and security review.

For the operational mechanics of how Veri-Tech detects, classifies, contains, and recovers from incidents, see the Incident Response Policy.

2. Scope

This policy applies to security incidents that involve any of the following:

  • Personal Data of Customer's data subjects (under GDPR Article 4(12));
  • Protected Health Information (PHI) of Customer's Individuals (under 45 CFR §164.402);
  • Personal Information of U.S. residents under applicable state breach notification statutes (e.g., CCPA/CPRA, NY SHIELD, MA 201 CMR 17.00);
  • Other Customer Confidential Information for which contractual notification is required.

3. Notification Timelines

The following table summarizes Veri-Tech's maximum notification windows. Veri-Tech will provide notification without unreasonable delay and in any event no later than the windows below, measured from discovery of the incident.

TriggerNotification WindowSource
Confirmed Data Breach involving Personal Data of EEA, UK, or Swiss data subjects72 hoursGDPR Article 33; DPA §5.5
Confirmed Breach of Unsecured PHI (Customer is a Covered Entity using the HIPAA Compliance Pack)60 days (Veri-Tech notifies in 72 hours by contractual commitment)45 CFR §164.410; BAA §3(c)
Confirmed unauthorized acquisition of Personal Information of U.S. residentsState-specific (often "most expedient time possible and without unreasonable delay")Applicable state law; Veri-Tech notifies in 72 hours by contractual commitment
Suspected incident affecting Customer Data (under investigation; no confirmed breach yet)Initial "awareness" notification within 5 business days if four-factor analysis or root-cause investigation extends past that pointVeri-Tech contractual commitment

Discovery means the date Veri-Tech knew, or by exercising reasonable diligence would have known, that an incident occurred. For incidents detected by an automated alert that requires triage, discovery is the time the alert is acknowledged and validated as a real signal, not the time the alert first fired.

4. What the Notification Includes

To the extent the information is known at the time of notification, Veri-Tech provides:

  • The date the incident was discovered and the date(s) the incident occurred;
  • A plain-language description of the incident, including the systems and Customer Data classes involved;
  • The categories and approximate number of data subjects (or Individuals, for PHI) affected;
  • The types of Personal Data, Personal Information, or PHI involved (e.g., names, email addresses, configuration metadata);
  • A description of the steps Veri-Tech has taken to investigate, contain, mitigate, and prevent recurrence;
  • Recommendations for actions Customer should consider (e.g., revoking sessions, rotating credentials, notifying their own data subjects);
  • The name and contact information for Veri-Tech's incident point-of-contact (Communications Lead);
  • A commitment to provide updates as additional information becomes available.

For incidents involving PHI, the notification additionally includes the information required by 45 CFR §164.410 sufficient for Customer (the Covered Entity) to fulfill its individual-notification obligations under 45 CFR §164.404.

5. How the Notification Is Delivered

5.1 Method. Veri-Tech delivers initial notifications by email to the contacts on file for Customer's account (Owner role; designated Privacy Contact, if specified; designated Security Contact, if specified). For SEV-0 and SEV-1 incidents involving HIPAA Customers, Veri-Tech also attempts to reach Customer's designated Privacy Officer by phone within four (4) hours of confirming the incident.

5.2 Designating Notification Contacts. Customers may designate a Privacy Contact and a Security Contact distinct from the Owner role through their account settings or by emailing privacy@veri-tech.net. Veri-Tech recommends designating dedicated mailboxes rather than individual addresses to avoid notification gaps during personnel transitions.

5.3 Updates and Final Report. Veri-Tech provides written updates as material information becomes available, and a final post-incident report within fourteen (14) days of incident closure. For incidents triggering regulatory notification, the final report includes the information Customer needs to satisfy its own regulator-notification obligations.

5.4 Cooperation. Veri-Tech cooperates with reasonable Customer requests for additional information needed for Customer's own investigation, individual-notification analysis, or regulatory filings.

6. Customer Obligations

To enable timely notification, Customer agrees to:

  • Maintain accurate and current Owner, Privacy Contact, and Security Contact information in the Veri-Tech portal;
  • Promptly acknowledge receipt of incident notifications;
  • Cooperate in good faith with Veri-Tech's investigation, including providing reasonable access to relevant logs, audit data, and incident-related records under Customer's control;
  • Treat the contents of the notification as Confidential Information of Veri-Tech (subject to Customer's legal disclosure obligations to data subjects, regulators, and individual notice recipients).

7. Reporting an Incident to Veri-Tech

If Customer or Customer's personnel observes activity that may indicate a security incident affecting Veri-Tech systems or Customer Data:

  • Email: security@veri-tech.net
  • Subject line prefix: "[INCIDENT]" or "[SUSPECTED INCIDENT]"
  • Initial response: Veri-Tech acknowledges incident reports within 4 hours, 24/7. Customer-reported incidents follow the severity classification process described in the Incident Response Policy.

Veri-Tech does not retaliate against, and welcomes reports from, security researchers and Customer personnel acting in good faith. A formal coordinated-disclosure program is on the post-launch hardening roadmap; in the interim, please use the security@veri-tech.net mailbox.

8. Public Disclosure

Veri-Tech may publish a redacted incident summary on its public status page or in this policy's change log if (a) the incident affected the broader Customer base or the marketplace and (b) public disclosure does not interfere with active investigation, law enforcement cooperation, or Customer-specific notice obligations. Public disclosure is in addition to, not in lieu of, direct Customer notification.

9. Modifications

Veri-Tech may modify this policy from time to time to reflect changes in law, Veri-Tech's practices, or Customer feedback. Material changes will be communicated by email or in-app notification at least thirty (30) days in advance, except where a more rapid change is required by law or to address an immediate security threat.

Contact Information

Report a security incident: security@veri-tech.net
Privacy: privacy@veri-tech.net
Legal: legal@veri-tech.net
Customer support: support@veri-tech.net