Applicable plans: ❎ The free plan, ❎ The complete plan

ℹ️ At Waldo, the management of personal data breaches is formally governed by a strict internal procedure. This framework ensures rapid response, full transparency and continuous improvement whenever an incident occurs.

1. Detection and internal reporting 🔍

As soon as a data breach or a suspected breach is identified (for example: lost device, unauthorised access, cyberattack), any employee or subcontractor must report it immediately.

The alert must be sent without delay to:

• the Data Protection Officer (DPO)
• the MOFFI Technical Team

Early reporting is essential to reduce potential impact.

2. Initial assessment and containment (within 24 hours) ⚠️

Within 24 hours of detection, the DPO and the Technical Team carry out a preliminary assessment.

Their immediate goals are to:

• contain the breach,
• mitigate potential consequences,
• secure and preserve evidence in a protected environment.

This step acts as a quarantine for the incident 🧯

3. In‑depth risk assessment 🧠

A detailed investigation is conducted to assess the severity of the breach. Each incident is classified into one of three levels:

• Negligible: minor breach
• Limited: simple breach
• Maximum: major breach

The assessment considers:

• the volume of data involved,
• the sensitivity of the data,
• the duration of exposure,
• the potential impact on individuals’ rights and freedoms.

4. Customer notification (within 24 hours) 📣

Waldo is contractually committed to informing the customer within 24 hours of detection.

The notification includes:

• the nature of the breach,
• the likely consequences,
• the measures already taken or planned.

If affected users belong to a customer organisation, that organisation’s administrators are informed directly.

5. Legal notifications (authority and users) 🏛️

If the breach presents a risk to individuals’ rights and freedoms:

• a notification is sent to the competent authority (CNIL in France) via the official online service,
• as soon as possible and no later than 72 hours after detection.

If the risk to privacy is considered high, affected individuals are informed directly using clear and plain language.

6. Breach register and continuous improvement 🔁

Every data breach — whether minor or major, notified or not — is recorded in Waldo’s Data Breach Register.

Once the incident is contained, a post‑incident review is conducted to:

• identify root causes,
• strengthen the information system,
• improve organisational measures to prevent future incidents.

💡 Each incident is treated as an opportunity to make MOFFI even more secure.