Breach Notification Policy

Home

Last Updated: 22 Oct 2025

Effective Date: 18 september 2023

Issued by: Neobank Capital

Approved by: Data Protection Officer (DPO) & Chief Information Security Officer (CISO)

1. Purpose

The purpose of this Breach Notification Policy is to define the processes for detecting, reporting, assessing, and notifying relevant parties of any personal data breaches or security incidents affecting Neobank Capital systems, applications, or customer data.

This policy ensures:

  1. Timely notification to regulators and affected individuals.
  2. Compliance with international privacy and financial regulations.
  3. Minimization of harm to customers, business operations, and reputation.

2. Scope

This policy applies to:

  1. All Neobank Capital employees, contractors, vendors, and third-party service providers.
  2. All personal, financial, or sensitive data processed or stored by Neobank Capital.
  3. Breaches occurring in all internal systems, cloud environments, mobile applications, decentralized platforms, and APIs.

3. Definitions

  1. Data Breach: Unauthorized access, disclosure, alteration, or destruction of personal, financial, or sensitive data.
  2. Sensitive Personal Data: Includes financial information, account numbers, identity verification documents, health-related information, and cryptographic wallet keys.
  3. Breach Notification: Communication to regulators, customers, or other affected parties regarding a confirmed or suspected data breach.

4. Reporting Requirements

  1. All personnel must report any suspected or confirmed data breaches immediately to the DPO or Security Team:
  2. Email: security@neobank.capital
  3. Phone (24/7 Hotline): [Insert Hotline]
  4. Reports must include:
  5. Description of the breach
  6. Date/time detected
  7. Affected systems, data, or customers
  8. Initial assessment of severity

5. Breach Assessment

Upon notification, the Incident Response Team (IRT) and DPO will:

  1. Confirm the breach and classify severity (low, medium, high, critical).
  2. Determine the data categories involved.
  3. Evaluate the potential impact on data subjects (customers, employees, partners).
  4. Decide whether regulatory notification and/or customer notification is required.

6. Regulatory Notification

6.1 GDPR / UK GDPR

  1. Notify the relevant Data Protection Authority (DPA) within 72 hours of becoming aware of a breach.
  2. Notifications must include:
  3. Nature and scope of the breach
  4. Categories and approximate number of affected individuals
  5. Likely consequences
  6. Measures taken to mitigate impact
  7. If notification is delayed, document reason for delay.

6.2 Other Jurisdictions

  1. Comply with CCPA, Swiss FADP, and other applicable laws requiring notification.
  2. Follow local regulatory timelines and formats for breach notification.

7. Customer Notification

  1. Notify affected customers without undue delay when a breach is likely to result in high risk to their rights and freedoms.
  2. Notifications must include:
  3. Description of the breach
  4. What information was affected
  5. Steps the customer should take to protect themselves
  6. Contact details for further assistance
  7. Notifications can be delivered via email, SMS, secure platform message, or other reasonable means.

8. Internal Communication

  1. All notifications and communications are coordinated by the CISO, DPO, and Communications Officer.
  2. Employees must avoid public disclosure until official communication is approved.
  3. Internal stakeholders must receive timely updates on the status of the breach and mitigation measures.

9. Mitigation Measures

  1. Immediately contain and remediate the breach.
  2. Reset affected credentials or cryptographic keys.
  3. Apply security patches and updates to affected systems.
  4. Monitor systems for further suspicious activity.

10. Documentation and Record-Keeping

  1. Maintain detailed records of all breaches, including:
  2. Description of the breach
  3. Actions taken
  4. Notifications to regulators and customers
  5. Post-breach evaluation and preventive measures
  6. Records are retained for at least 5 years or as required by law.

11. Training and Awareness

  1. All employees, contractors, and partners must undergo annual training on breach detection, reporting, and notification procedures.
  2. Training includes realistic breach simulations and regulatory compliance requirements.

12. Policy Review

  1. This policy is reviewed annually or after any major breach, regulatory change, or operational update.
  2. Updates must be approved by the DPO and CISO.

13. Contact Information

Data Protection Officer (DPO)

📧 privacy@neobank.capital

Chief Information Security Officer (CISO)

📧 security@neobank.capital

Incident Response Hotline (24/7)

📞 +1(844) 454 2508

On this Page
Contents 1. Purpose 2. Scope 3. Definitions 4. Reporting Requirements 5. Breach Assessment 6. Regulatory Notification 7. Customer Notification 8. Internal Communication 9. Mitigation Measures 10. Documentation and Record-Keeping 11. Training and Awareness 12. Policy Review 13. Contact Information

© 2025 Neobank Capital Legal Center | Privacy & Compliance Hub

Support
Marketing
...