Personal Data Breach Response Procedure
Effective Date: May 12, 2026 Last Updated: May 12, 2026 Owner: Kosmatic Solutions Inc.
This document describes how Kosmatic Solutions Inc. ("Kosmatic," "we") responds to a Personal Data Breach involving the Auraflow service. It is published in the interest of transparency and to satisfy notification obligations under GDPR Article 33–34, UK GDPR, CCPA/CPRA, PIPEDA, and equivalent laws.
A redacted version of our internal incident response runbook is summarised below. The full runbook, including specific personnel, third-party retainer details, and forensic procedures, is maintained internally and available to regulators on lawful request.
1. Definitions
- Personal Data Breach: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data Processed by Kosmatic or any of its Sub-Processors. (GDPR Article 4(12))
- Customer: A Shopify merchant or other business that has installed Auraflow.
- End User: A visitor to a Customer's storefront whose Personal Data is Processed by Auraflow.
- Supervisory Authority: A data protection authority with jurisdiction over the affected Personal Data (e.g., the Irish Data Protection Commission for EU-based End Users, the Office of the Privacy Commissioner of Canada for Canadian End Users, the California Privacy Protection Agency for California End Users).
2. Detection and Triage
Breaches are detected through one or more of the following channels:
- Automated monitoring: Application logs, anomaly detection on database query patterns, failed authentication spikes, cloud-provider security alerts (Render, Cloudflare).
- Sub-Processor notification: A Sub-Processor (e.g., Render, Cloudinary, Postmark, Anthropic) notifies us of an incident affecting infrastructure or data they Process on our behalf.
- Customer report: A Customer reports suspicious activity, account compromise, or unauthorised access via support@kosmatic.com.
- Third-party disclosure: A security researcher, journalist, regulator, or law enforcement agency informs us of an issue.
- Internal discovery: Routine code review, audit, or red team exercise surfaces a vulnerability that may have been exploited.
As soon as practicable after detection, the incident is logged in our internal incident tracker and triaged by the Incident Response Lead. Triage determines whether the event constitutes a Personal Data Breach as defined above, or a security incident that does not involve Personal Data. Triage targets a same-business-day response and is always completed within the 72-hour window required for downstream regulator notification.
3. Containment
If the event involves Personal Data, we take immediate containment measures as soon as the scope is understood, with the goal of completing initial containment within 24 hours of confirmation:
- Revoke compromised credentials, API tokens, OAuth grants
- Isolate affected systems (network segmentation, service quarantine)
- Disable affected user accounts where appropriate
- Snapshot affected database state for forensic analysis
- Halt Sub-Processor data flows where the breach involves a Sub-Processor
- Preserve logs and evidence for forensic analysis
A timeline of containment actions is maintained from this point forward and forms the basis of subsequent notifications.
4. Assessment
As soon as practicable after confirmation, and in any case in time to support the 72-hour regulator notification window, we complete an initial assessment covering:
- Scope: Which Personal Data was affected — categories, approximate volume, identifiability
- Affected populations: Customers (merchants), End Users (visitors), or both — and geographic distribution
- Cause: Root cause hypothesis (compromised credential, software vulnerability, Sub-Processor incident, insider action, etc.)
- Risk to data subjects: Likelihood and severity of harm — financial loss, identity theft, reputational damage, discrimination, loss of confidentiality
- Containment status: Whether the breach has been contained or is ongoing
- Notification triggers: Which regulatory and contractual notification obligations apply
The assessment is documented in writing and updated as new information becomes available.
5. Regulatory Notification
5.1 GDPR / UK GDPR (EU and UK End Users)
If the breach is likely to result in a risk to the rights and freedoms of natural persons, we notify the relevant Supervisory Authority within 72 hours of becoming aware. The notification includes:
- Nature of the breach, categories and approximate number of data subjects affected
- Categories and approximate number of Personal Data records affected
- Name and contact details of our data protection contact (support@kosmatic.com)
- Likely consequences of the breach
- Measures taken or proposed to address the breach and mitigate adverse effects
Where notification cannot be provided within 72 hours, we provide it in phases without further undue delay and document the reasons for the delay.
5.2 PIPEDA (Canada)
If the breach creates a real risk of significant harm to an individual, we notify the Office of the Privacy Commissioner of Canada as soon as feasible and maintain a record of every breach for at least 24 months, regardless of whether notification was required.
5.3 CCPA / CPRA (California)
For California residents, we follow California Civil Code §1798.82 — notification "in the most expedient time possible and without unreasonable delay," consistent with the legitimate needs of law enforcement and necessary measures to determine breach scope and restore system integrity.
5.4 Other Jurisdictions
Notification timelines for other jurisdictions (e.g., Brazil's LGPD, Australia's NDB scheme, Singapore's PDPA) are followed according to the specific obligations of those laws.
6. Notification to Affected Individuals
We notify affected End Users (data subjects) when the breach is likely to result in a high risk to their rights and freedoms. Notification is made in clear and plain language and includes:
- Description of the nature of the breach
- Name and contact details of our data protection contact
- Likely consequences of the breach
- Measures taken or proposed to address the breach
- Recommended actions the individual can take to protect themselves (e.g., change passwords on connected accounts, monitor financial statements)
Notification is delivered via the most direct channel available — typically email, supplemented by an in-product banner on affected Customer dashboards, and a notice published on kosmatic.com if appropriate.
Notification to End Users may be made by the Customer rather than directly by Kosmatic, where the Customer is the Controller of the affected Personal Data and Kosmatic is acting as a Processor. In that case, we provide the Customer with all information needed to make the notification.
7. Notification to Customers
We notify affected Customers without undue delay after becoming aware of any breach affecting their Personal Data or End User data, in accordance with our Data Processing Agreement. The Customer notification includes:
- Nature and scope of the breach
- Categories of data and approximate volume affected
- Timeline of detection and containment
- Sub-Processors involved (if any)
- Remediation steps taken
- Information needed for the Customer to fulfil their own notification obligations
Customer notification is sent to the email address on file for the account, and where appropriate, to the data protection contact identified by the Customer.
8. Remediation
After containment, we conduct a root-cause analysis and implement remediation measures, which may include:
- Code patches, configuration changes, dependency updates
- Credential rotation, access policy changes
- Sub-Processor remediation actions or replacement
- Additional monitoring, alerting, or detection mechanisms
- Staff training or process changes
- Independent security review or penetration test
Remediation status is tracked and reported to affected Customers on a reasonable cadence until closed.
9. Post-Incident Review
Within 30 days of incident closure, we conduct a post-incident review covering:
- Timeline accuracy and what could have been detected sooner
- Effectiveness of containment and notification procedures
- Lessons learned and process improvements
- Updates to monitoring, detection, or controls
- Updates to this procedure and our internal runbook
A summary of the review is retained in our incident records.
10. Record Keeping
We maintain records of every Personal Data Breach, whether reportable or not, for a minimum of 3 years. Records include:
- Date and time of detection and confirmation
- Description of the breach
- Affected data categories, populations, and approximate volume
- Risk assessment
- Containment, remediation, and notification actions taken
- Reasoning for notification decisions (including decisions not to notify)
- Final outcome and lessons learned
Records are available to Supervisory Authorities on lawful request.
11. Customer and Sub-Processor Responsibilities
Customers are responsible for:
- Securing their own credentials and API tokens
- Notifying us promptly of any suspected breach affecting their account
- Notifying their own End Users where they are the Controller
Sub-Processors are contractually required to:
- Notify Kosmatic without undue delay of any breach affecting Personal Data they Process on our behalf
- Cooperate with Kosmatic's investigation and notification efforts
- Provide all information reasonably necessary for Kosmatic to fulfil its notification obligations
12. Contact
To report a suspected breach, vulnerability, or security incident:
Email: support@kosmatic.com Subject line: "Security Incident — Auraflow"
For coordinated vulnerability disclosure, we accept reports via the same address and commit to:
- Acknowledging receipt within 2 business days
- Providing an initial assessment within 5 business days
- Not pursuing legal action against good-faith security researchers
Kosmatic Solutions Inc. Vancouver, British Columbia, Canada