Buronia
English ▾

← GDPR & data protection

Personal-data breach notification

A breach is any incident that compromises the confidentiality, integrity, or availability of your personal data. GDPR Art. 33/34 set hard deadlines for what we have to do, and this page is our pre-committed playbook so there is no ambiguity if it happens.

Effective 2026-04-30. Last incident: none.

Detection

  • Real-time anomaly alerts on database access patterns.
  • Daily integrity checks of the encrypted-at-rest column set.
  • Sub-processor breach notifications routed directly to the DPO inbox.
  • Public bug-bounty intake at security@buronia.com.

Internal escalation (T+0 to T+24h)

  1. The on-call engineer pages the DPO and the operator within 1 hour of detection.
  2. The incident gets a tracking ID and a private war-room channel.
  3. We contain the breach (revoke credentials, rotate keys, isolate affected hosts) before drafting the notice.
  4. We preserve forensic evidence (logs, snapshots) for the supervisory authority.

Notification to the supervisory authority (Art. 33) — T+72h

We notify the lead supervisory authority within 72 hours of becoming aware. The lead authority depends on the country — see Compliance & security for the per-country authority. If we cannot complete the assessment in 72 hours, we file an interim notice and follow up. The notice contains:

  • Nature of the breach, including categories and approximate number of data subjects.
  • Categories and approximate number of records affected.
  • DPO contact for follow-up.
  • Likely consequences.
  • Measures taken / proposed to address the breach and mitigate adverse effects.

Notification to you (Art. 34)

If the breach is likely to result in a high risk to your rights or freedoms, we contact you directly without undue delay. The communication is in clear and plain language and includes:

  • What happened.
  • Which of your data is affected.
  • What we've done to limit the damage.
  • What we recommend you do (e.g. change a related password, alert your bank).
  • How to reach the DPO for questions.

We use the email address you signed in with. If we have your WhatsApp opt-in, we will also send a WhatsApp follow-up so the message is harder to miss in a busy inbox.

When notification is not required

Per Art. 34(3), individual notification is not required when data was rendered unintelligible (e.g. the affected column was AES-256-GCM encrypted with a key the attacker could not access), when subsequent measures eliminate the risk, or when individual notification would be disproportionate. We document the reasoning in the same incident record.

Public disclosure

If a breach affected ≥10% of users, we publish a redacted post-mortem on this site within 30 days of resolution.

Reporting a suspected breach to us

If you believe your account or data has been compromised, email security@buronia.com with whatever evidence you have. We acknowledge within 24 hours, even on weekends.