Internal Incident Response Policy for Personal Data

General Provisions

1.1. This policy defines the procedure for detecting, recording, investigating, and reporting incidents of personal data leakage or unauthorized access.

1.2. The policy is developed in accordance with:

• Law of the Republic of Belarus No. 99-Z dated 07.05.2021 "On Personal Data Protection";
• Federal Law of the Russian Federation No. 152-FZ dated 27.07.2006 "On Personal Data";
• Personal Data Processing Policy;
• Personal Data Privacy Policy;
• Data Processing Agreement;

1.3. An incident is defined as any event related to:

• unauthorized access;
• leakage;
• alteration;
• blocking;
• deletion;
• dissemination of personal data under the control of "Client Solutions" LLC.

Such actions may be committed by:

• external attackers (hackers, phishing, breaches);
• internal employees accidentally or intentionally;
• automated processes (bugs, system failures, incorrect API operation);
• third parties engaged in personal data processing (e.g., Google Ads, Yandex Direct, SendPulse).

1.4. Upon detection of an incident, the Company undertakes to:

• record the fact of the incident;
• conduct an internal investigation;
• take measures to minimize damage;
• notify interested parties and authorized bodies within the established timeframes;
• document all actions and retain records for at least 5 years.

Incident Detection

2.1. Incidents may be detected through the following methods:

• automated security monitoring systems;
• logs and audit journals;
• user reports;
• requests from data subjects;
• security system testing.

2.2. Signs of a possible incident:

• unusual system activity;
• multiple login attempts;
• changes in configurations and access rights;
• disappearance or corruption of files containing personal data;
• external reports from data subjects or partners about a possible leak.

Actions Upon Incident Detection

3.1. Upon detecting an incident, an employee of the company must:

• immediately report to management;
• record the time, type, and scale of the incident;
• terminate access to the affected data;
• initiate an internal investigation.

3.2. The internal investigation is conducted by an appointed commission (IT + legal department), which:

• analyzes logs and audit trails;
• identifies the scope of affected individuals;
• assesses the level of damage;
• prepares an incident report;
• provides recommendations to prevent recurrence.

3.3. All incident data is recorded in a special incident log, which contains:

• date and time of the event;
• type of incident;
• list of affected data and individuals;
• description of response actions;
• investigation results;
• commission conclusions.

3.4. In case of personal data leakage, "Client Solutions" LLC undertakes to report the incident:

• to the operator (CRM user);
• to the authorized bodies of the Russian Federation and the Republic of Belarus within 24 hours of detection, unless otherwise provided by the legislation of the receiving country.

Damage Mitigation Measures

4.1. Immediate actions:

• blocking access to the system;
• restoring data from backups;
• strengthening security measures (updating passwords, certificates, implementing new restrictions);
• informing users about the need to check their accounts.

4.2. If the incident affects specific personal data subjects:

• users are notified via email;
• information is provided about which data may have been affected;
• recommendations are given to ensure their security.

4.3. All damage mitigation actions are recorded in an act and attached to the report.

Employee Responsibility

5.1. All employees of "Client Solutions" LLC:

• must comply with the privacy policy;
• must immediately report any suspicious incident;
• are responsible for unlawful processing of personal data.

5.2. For violation of the policy terms, the following apply:

• internal disciplinary measures;
• administrative liability under Belarusian and Russian legislation;
• training and professional development on personal data handling.

Information Storage and Documentation

6.1. All incident materials are accessible only to authorized persons.

6.2. The incident log is stored for at least 5 years.

6.3. Reports and acts are prepared electronically and archived with the following information:

• date and time of the incident;
• type of leakage;
• list of affected data and individuals;
• measures taken to address the consequences.

Control and Training

7.1. Regularly conducted:

• internal security system audits;
• employee training on personal data handling;
• incident response training;
• updating policies and regulations.

7.2. Mandatory training is conducted:

• upon hiring;
• annually;
• upon changes in legislation;
• after each detected incident.

Interaction with Authorized Persons and Users

8.1. "Client Solutions" LLC is not the operator of personal data entered by users into the CRM system and acts as an authorized person.

8.2. In the event of an incident related to leakage of data provided by users, the Company:

• notifies the operator (CRM user);
• provides necessary information for further actions;
• is not responsible for the content of data provided by the user.