Compliance
Personal Data Breach Response Policy
This policy explains how PigmentCRM (operated by Wenlar LLC) detects, contains, investigates and reports a personal data breach. It implements our obligations as a Processor under GDPR Articles 33-34, the corresponding UK GDPR provisions, and US state breach-notification statutes (e.g. California Civil Code §1798.82 and equivalent), and forms part of the DPA. Last updated 2026-04-25.
[email protected] with the words BREACH REPORT in the subject. Include studio name, what you observed, and when. We acknowledge within 4 hours, around the clock. 1. What counts as a personal data breach
A “personal data breach” is any security incident that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data processed by PigmentCRM. Examples:
- An attacker gains access to a tenant database and views or exfiltrates customer records.
- A misconfigured R2 bucket exposes waiver images to the public internet.
- An employee account is phished and used to download a tenant’s customer list.
- A laptop containing exported customer data is lost or stolen.
- A bug routes one tenant’s data into another tenant’s response.
- A backup tape or cloud snapshot is destroyed without a viable copy.
A failed login, blocked attack, or near-miss is not a breach if no personal data was actually accessed, altered or lost. We track these as security events for trend analysis but they do not trigger this policy.
2. Detection
- Application logs and audit log monitored continuously; anomalies (mass-download patterns, repeated 401/403, unusual export volumes) page on-call.
- Cloudflare WAF + rate-limiting rules in front of all customer traffic.
- Daily review of upload-bucket access patterns and authentication logs.
- Customer reports via
[email protected]are treated as detection events. - Public bug-bounty inbox:
[email protected]; we follow ISO/IEC 29147 disclosure principles.
3. Severity tiers
| Tier | Examples | Initial response |
|---|---|---|
| P1 — Critical | Confirmed unauthorised access to multiple tenants’ data; exfiltration; ransomware; integrity loss with no clean backup. | War-room within 1h, hourly written updates to affected controllers. |
| P2 — High | Confirmed access to a single tenant’s data; misconfiguration that exposed PII; insider misuse. | Lead engineer within 2h, written update within 12h. |
| P3 — Medium | Suspected breach pending investigation; loss of an encrypted device; supply-chain alert. | Triage within 8h, written update within 48h after investigation. |
| P4 — Low | Security event with no evidence of personal-data impact; near-miss. | Logged, reviewed weekly, customers informed only if root cause requires action. |
4. Containment and eradication
- Isolate the affected component (revoke tokens, block IPs, quarantine instance).
- Force re-authentication and rotate all credentials with possible exposure (database, R2, third-party API keys).
- Snapshot logs, audit-log entries and forensic artefacts before remediation overwrites them.
- Patch the vulnerability or close the misconfiguration. Verify with an independent test.
- Restore from clean backup if integrity is compromised.
5. Notification — to controllers (studios)
Where a breach affects personal data we process for a customer, we notify that customer without undue delay and in any case within 72 hours of becoming aware that a breach has occurred. The notification will include, to the extent we know at the time:
- Nature of the breach, categories and approximate number of data subjects and records.
- Name and contact details of our data protection contact.
- Likely consequences and the measures taken or proposed to address it.
We will keep updating the notification as the investigation progresses, and we will provide reasonable assistance so the customer can fulfil its own GDPR Article 34 obligation, US state breach-notification duties, and CCPA security-incident reporting where applicable.
6. Notification — to authorities and data subjects
Where PigmentCRM is itself the controller (e.g. for prospect data on the marketing site or for staff data of our own employees), we notify the competent authority within the timeframes the relevant law requires — within 72 hours for EU/UK GDPR and as required by each applicable US state breach-notification statute — and we notify affected data subjects directly when the risk is high or the law requires it.
7. Documentation
Every breach (including those not requiring external notification) is recorded in an internal breach register containing the facts, effects, remedial actions and notifications sent. The register is retained for at least 6 years and is made available to supervisory authorities on request.
8. Post-incident review
For every P1 and P2 incident, we run a blameless post-incident review within 14 days and publish a redacted summary to affected customers. Action items are tracked to closure in our security backlog.
9. Customer responsibilities
- Tell us promptly about anything suspicious on your tenant:
[email protected]. - Keep staff accounts unique; never share credentials.
- Enable 2FA for admin accounts; rotate credentials when staff leave.
- Restrict external sharing of exported data; treat exports as sensitive.
Contact
Wenlar LLC
30 N Gould St, STE R
Sheridan, WY 82801, United States
Security and breach response: [email protected]
Data protection contact: [email protected]