Skip to main content
Vendo

Vendo Legal

Data Breach Policy

Last Updated: February 9, 2026

1. Purpose

This policy defines Vendo's procedures for identifying, containing, investigating, and communicating data breaches. It ensures compliance with applicable data protection laws including the GDPR, CCPA, and the Australian Privacy Act.

2. Definition

A data breach is any event that results in unauthorized access, disclosure, alteration, loss, or destruction of personal data or confidential information. This includes:

  • Unauthorized access to systems containing personal data
  • Accidental or intentional disclosure of personal information to unauthorized parties
  • Loss or theft of devices or media containing personal data
  • Ransomware or malware attacks that affect data availability or integrity
  • Human error resulting in data exposure (e.g., misdirected emails)

3. Detection and Reporting

All Vendo personnel are responsible for promptly reporting any suspected or confirmed data breach. Reports should be made to:

  • The designated Data Protection Officer (DPO)
  • The Information Security team
  • Management or the incident response team

Reports should include as much detail as possible, including the nature of the breach, the data affected, and any immediate actions taken.

4. Containment

Upon identification of a data breach, the incident response team will take immediate steps to contain the breach, including:

  • Isolating affected systems or accounts
  • Revoking compromised credentials
  • Securing physical areas if applicable
  • Preserving evidence for investigation

5. Assessment

The incident response team will conduct a thorough assessment to determine:

  • The nature and extent of the breach
  • The types and volume of data affected
  • The individuals or groups affected
  • The likely consequences and risks to affected individuals
  • Whether the breach triggers notification obligations

6. Notification

Vendo will notify affected parties in accordance with applicable laws:

  • Regulatory authorities: Within 72 hours of becoming aware of a breach that is likely to result in a risk to individuals' rights and freedoms (GDPR requirement)
  • Affected individuals: Without undue delay when the breach is likely to result in a high risk to their rights and freedoms
  • Affected customers: As specified in contractual agreements, typically within 48-72 hours

7. Remediation

Following containment and notification, Vendo will:

  • Implement corrective measures to prevent recurrence
  • Update security controls and procedures as needed
  • Conduct a post-incident review
  • Document lessons learned

8. Record Keeping

Vendo maintains a register of all data breaches, including those that do not trigger notification obligations. Records include the facts of the breach, its effects, and the remedial actions taken.

9. Contact

To report a data breach or for questions about this policy, please contact us at support@vendodata.com