Skip to Content
Data Breach Policy

Data Breach Notification Policy

Last updated: February 14, 2026

This policy describes how Rowform detects, responds to, and communicates Personal Data breaches in accordance with Articles 33 and 34 of the GDPR.

1. What Constitutes a Data Breach

A Personal Data breach is any security incident that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data. Examples include:

  • Unauthorized access to the Rowform database or user accounts.
  • Accidental exposure of respondent data through a software defect.
  • Loss of data due to infrastructure failure without adequate backup.
  • A compromised employee or service account accessing Personal Data.

2. Detection and Assessment

2.1 Monitoring

Rowform employs the following measures to detect potential breaches:

  • Audit logging — All sensitive operations (data exports, account deletions, consent changes, logins) are logged with timestamps and user attribution.
  • Row Level Security (RLS) — Database-level access policies prevent unauthorized cross-account data access.
  • Infrastructure monitoring — Supabase and Vercel provide built-in alerting for anomalous activity and unauthorized access attempts.

2.2 Assessment

When a potential breach is identified, Rowform will immediately assess:

  • The nature and scope of the breach.
  • The categories and approximate number of Data Subjects affected.
  • The categories and approximate volume of Personal Data records affected.
  • The likely consequences for affected Data Subjects.
  • Whether the breach is ongoing or contained.

3. Internal Response Procedure

Upon confirming a breach, Rowform follows this response process:

StepActionTimeframe
1Contain — Isolate the affected systems, revoke compromised credentials, and stop the breach from continuing.Immediately
2Assess — Determine scope, affected data, and root cause.Within 24 hours
3Notify affected customers — Inform Controllers (Rowform account holders) whose data or respondent data was affected.Within 72 hours
4Notify supervisory authority — Report to the relevant Data Protection Authority if required under GDPR Article 33.Within 72 hours
5Notify Data Subjects — If the breach poses a high risk to individuals, notify affected respondents directly or assist Controllers in doing so.Without undue delay
6Remediate — Fix the root cause, patch vulnerabilities, and update security measures.As soon as possible
7Document — Record the breach, its effects, and all remedial actions taken in an internal breach register.Ongoing

4. Customer Notification

When notifying affected customers, Rowform will provide:

  • A description of the nature of the breach.
  • The categories and approximate number of Data Subjects and records affected.
  • The name and contact details of our point of contact for further information.
  • A description of the likely consequences of the breach.
  • A description of the measures taken or proposed to address the breach and mitigate its effects.

Notifications will be sent via email to the account holder’s registered email address.

5. Supervisory Authority Notification

Where required under GDPR Article 33, Rowform will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, providing:

  • The nature of the Personal Data breach.
  • Contact details of our data protection point of contact.
  • Likely consequences of the breach.
  • Measures taken or proposed to address the breach.

If full details are not available within 72 hours, information will be provided in phases without undue delay.

6. Record Keeping

Rowform maintains an internal breach register documenting:

  • The facts relating to each breach.
  • Its effects on Data Subjects.
  • The remedial actions taken.
  • The reasoning behind decisions regarding notification.

This register is retained for a minimum of 5 years and is available for inspection by supervisory authorities upon request.

7. Post-Breach Review

After every breach, Rowform conducts a post-incident review to:

  • Identify the root cause and contributing factors.
  • Evaluate the effectiveness of the response.
  • Implement additional safeguards to prevent recurrence.
  • Update this policy if necessary.

8. Contact

To report a suspected data breach or security vulnerability:

We take all reports seriously and will acknowledge receipt within 24 hours.

Last updated on
Data Processing AgreementLawful Basis for Processing