資料外洩通知政策

1. Scope & Definition

This Data Breach Notification Policy describes how SaaSoftware LLC, 131 Continental Dr, Suite 305, Newark, DE 19713, USA, operating the CaptchaLa brand, detects, responds to, and notifies affected parties of a personal-data breach. A "personal-data breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored, or otherwise processed by or for CaptchaLa. This policy complements our Privacy Policy and Data Processing Agreement.

2. Detection & Internal Response

We maintain monitoring, logging, and alerting to help identify potential security incidents. On becoming aware of a suspected breach, we follow an internal response process:

• Triage and verify the report, and assign an incident owner.
• Contain the incident and stop ongoing unauthorised access where possible.
• Assess the nature, scope, categories of data, and individuals potentially affected, and the likely risk to their rights and freedoms.
• Preserve evidence and document the timeline, findings, and decisions taken.

3. Notification to Affected Customers

Where we act as a processor on a customer's behalf, we will notify the affected customer (the controller) without undue delay after becoming aware of a personal-data breach affecting their data, so the customer can meet its own notification obligations. Where we are the controller (for example, breaches affecting account data), and the breach is likely to result in a risk to individuals, we will notify affected individuals and, where applicable under the GDPR or UK GDPR, the relevant supervisory authority. We aim to support the GDPR / UK-GDPR expectation of notifying the competent authority within 72 hours of becoming aware where that obligation applies.

4. Information Provided in a Notification

To the extent known and available at the time, a breach notification will include:

• A description of the nature of the breach, including categories and approximate number of data subjects and records affected.
• The name and contact point where more information can be obtained.
• The likely consequences of the breach.
• The measures taken or proposed to address the breach and mitigate its effects.

Where it is not possible to provide all information at once, we will provide it in phases without further undue delay.

5. Remediation & Lessons Learned

After containment, we work to remediate the root cause, restore affected systems and data, and apply corrective measures such as patching, credential rotation, configuration changes, and additional controls. We conduct a post-incident review to reduce the likelihood and impact of similar incidents in the future.

6. Customer Responsibilities

Customers are responsible for safeguarding their own credentials and API keys and for promptly reporting suspected compromise. If you become aware of a security issue affecting CaptchaLa or your account, report it to us as soon as possible using the security contact below.

7. Security Contact

To report a suspected security incident or vulnerability, or for questions about this policy, contact SaaSoftware LLC at [email protected]. Please include enough detail for us to investigate, and avoid sharing sensitive data in plain text where possible.