Skip to content

Incident Notification Policy

We are strongly committed to protecting your data. This policy explains how and when we notify customers about data breaches, legal requests, and major security incidents.

Unless otherwise agreed in your service contract, all notifications under this policy will be sent via email to your registered contact address.

1 Personal Data Breaches (GDPR)

If an incident involves your personal data, we will:

  • Notify you without undue delay, no later than 72 hours, if the breach is likely to create a high risk to your rights or freedoms
  • Provide clear information about:
  • What happened
  • What data is affected
  • Potential consequences
  • What we are doing to fix the issue
  • How you can protect yourself

We also notify the relevant supervisory authority within the GDPR‑required 72 hours.

2 Major Security Incidents (Non–Personal Data)

If a security incident affects the availability, integrity, or confidentiality of our services, even if no personal data is involved, we will notify you when:

  • The incident has a material impact on your service (significant service degradation or downtime)
  • Your operations may be disrupted
  • Your data or systems may be affected through our compromised infrastructure

We will notify you no later than 24 hours after we became aware of the incident, and follow up with an update no later than 72 hours. We will provide a post mortem report no later than 4 weeks after the incident.

If we receive a legally binding request for customer data: - We only disclose data when legally absolutely required
- If the law allows us to notify you, we will do so as soon as possible - If we are prohibited from notifying you, we will inform you once the restriction is lifted

We never provide customer data voluntarily or without legal authority.

Version 1.0 | 09.01.2026 | legal@dataresearchcenter.org