Buaze home
DATA BREACH

Data Breach Response Policy

SUMMARY

Detection, KVKK Authority notification (72 hours) and data-subject notification procedures for personal data breaches.

1. Purpose#

This policy governs detection, classification, reporting and notification of personal data breaches that may occur in Buaze ("Buaze") systems. It is based on KVKK Article 12/5 and the Personal Data Protection Authority decision dated 24.01.2019 (No. 2019/10).

2. Definition of breach#

A data breach is the unlawful acquisition, disclosure, alteration, deletion or unauthorised access of personal data. Examples:

  • Unauthorised access to systems,
  • Database backup leak,
  • Stolen / lost device containing personal data,
  • Misconfiguration exposing data on the public internet,
  • Personnel account compromise via phishing,
  • Sub-processor breach affecting Buaze data,
  • Ransomware attack.

Suspicion alone triggers this procedure — certainty is not required; precaution prevails.

3. Response team#

  • Information Security Officer (lead) — coordination and decisions
  • Software Engineer (technical) — log analysis, containment
  • Legal (legal@buaze.com) — notification text, legal process
  • Data Controller Representative — VERBIS update

4. Phases#

Phase 1 — Detection (T+0)#

Anomalies are caught automatically (Sentry alert, SIEM, intrusion alarm) or manually (user complaint, external notice). On detection:

  • The incident is reported to support@buaze.com.
  • The response team is alerted.

Phase 2 — Containment (T+0 to T+24 hours)#

  • The affected system is isolated; further spread is prevented.
  • Evidence is preserved (snapshots, logs, hashes).
  • Temporary remediation: account suspension, password reset, session revocation.

Phase 3 — Assessment (within T+24 hours)#

  • Affected data categories (identity, contact, customer comments, payment, etc.).
  • Estimated number of affected data subjects.
  • Whether the breach poses a "high risk".
  • If business customers are affected, notification within 24 hours to the relevant business (DPA Art. 8).

Phase 4 — Notification (within T+72 hours)#

Notification to the KVKK Authority (where Buaze is the controller):

Filed via the breach notification form at https://veriihlalibildirimi.kvkk.gov.tr. Required content:

  • Time and duration of the breach,
  • Type of breach (unauthorised access, disclosure, loss, etc.),
  • Affected categories of personal data,
  • Approximate number of data subjects affected,
  • Likely consequences,
  • Technical and administrative measures taken / to be taken.

Notification to the controller (where Buaze is the processor):

The business (controller) must be informed within 24 hours under DPA Art. 8 so it can fulfil its own KVKK Authority notification duty; technical and legal support is provided.

Notification to data subjects (where high risk):

For high-risk breaches, affected users are notified by appropriate means (e-mail, panel message) within a reasonable period in clear, plain language including:

  • Nature of the breach,
  • Likely consequences,
  • Steps the user can take (password change, fraud monitoring),
  • Contact: support@buaze.com.

Phase 5 — Root-cause analysis (within T+30 days)#

  • 5-Why or RCA methodology to identify root cause.
  • Corrective action plan: code fixes, architectural changes, training needs.
  • Controls added to prevent recurrence.

Phase 6 — Documentation#

  • All incidents are recorded in the breach register (open to KVKK Authority audit).
  • Incident reports retained at least 5 years.

5. Encouraging internal reporting#

Staff, customers and third parties may report suspected breaches via:

  • support@buaze.com (personal data breach)
  • legal@buaze.com (legal concerns)
  • Anonymous reporting form (planned)

A non-retaliation policy applies to good-faith reporters.

6. Annual drill#

The response team runs one drill per year:

  • Scenario-based simulation (e.g. database leak),
  • Notification drafts are rehearsed,
  • Process gaps are identified and added to the procedure.

7. Transparency#

After the post-incident process is complete (without compromising evidence), a redacted summary may be published. Public access to KVKK Authority breach notifications is provided by the Authority.

8. Contact#

  • Data breach reports: support@buaze.com
  • Legal advice: legal@buaze.com
Questions? legal@buaze.com