Breach notification

If a personal-data breach affects data we process for you, we will notify the affected customer's account administrator by email without undue delay after we confirm the breach.

We send the notice by email to the account administrator on record. That is the canonical commitment — it is reused word-for-word in our privacy policy and our Data Processing Agreement, so there is no daylight between what we tell a regulator, a buyer, and a contract.

• The nature of the breach and the categories of data and records involved, to the extent known.
• The likely consequences and our assessment of the risk to affected individuals.
• The measures we have taken or propose to take to contain and remediate it.
• A named contact for follow-up questions.

Under the UK GDPR a data controller must report a qualifying breach to the ICO within 72 hours; as your processor we notify you so you can meet that obligation. Separately, as the controller for our own corporate data we report qualifying breaches to the UAE Data Office under the PDPL.

In plain terms: we notify youso that you, as the controller of your tenant's data, can meet your own regulator obligation — for UK controllers, reporting a qualifying breach to the ICO within 72 hours. We do not report your breach to your regulator on your behalf; that decision and that clock are yours, and our prompt notice is what lets you keep it.