How We Handle Safety Incidents

When a security or safety incident occurs, AskBiz operates on four principles:

1. Contain first — stop the incident from spreading before anything else

2. Investigate thoroughly — understand exactly what happened and what data was affected

3. Notify promptly and transparently — tell affected users what happened in plain English, not legal boilerplate

4. Remediate and learn — fix the root cause and document what we improved

We do not prioritise managing our reputation over your right to know what happened.

We classify incidents by severity:

P1 — Critical: Confirmed unauthorised access to user data, active breach, or service-wide authentication failure. Response begins within 1 hour of detection, 24/7.

P2 — High: Suspected data exposure (unconfirmed), significant service degradation, or a single user account confirmed compromised through platform vulnerability. Response begins within 4 hours.

P3 — Medium: Attempted breach (blocked), minor data exposure with no confirmed exfiltration, or a security misconfiguration without active exploitation. Response within 1 business day.

P4 — Low: Security configuration improvements, minor policy violations, or theoretical vulnerabilities. Addressed in normal development cycle.

AskBiz complies with breach notification requirements under three frameworks:

UK GDPR / Data Protection Act 2018: We must notify the ICO (Information Commissioner's Office) within 72 hours of becoming aware of a breach that is likely to result in a risk to individuals' rights and freedoms. If the breach is likely to result in a high risk to you personally, we notify you without undue delay — meaning as soon as practicable, not just within 72 hours.

EU GDPR: Same 72-hour obligation to the relevant supervisory authority (e.g. the Irish DPC, given our data is stored in Dublin). Equivalent individual notification obligations apply.

US state laws: Several US states have breach notification laws (California CCPA/CPRA, New York SHIELD Act, etc.). We comply with all applicable state notification requirements, which generally require notification within 30–72 days of discovery depending on the state.

In plain terms: if your data is involved in a breach, we will tell you as quickly as possible — not hide it.

If you are affected by a breach, you will receive an email from security@askbiz.co that includes:

• What happened — a plain-English description of the incident
• When it happened — the date of the incident and the date we discovered it
• What data was affected — specifically which categories of data were involved (e.g. 'email addresses and hashed passwords' or 'Shopify OAuth tokens for accounts connected before [date]')
• What data was NOT affected — to be clear about the scope
• What we have done — steps taken to contain and remediate
• What you should do — specific recommended actions (e.g. change your password, revoke API keys)
• Who to contact — a direct contact for questions

We will not send vague or generic notifications. We will not say 'potentially some data may have been affected' — we will tell you what we know and what we do not yet know.

Beyond data breaches, AskBiz monitors for other safety events:

AI-generated harm: If an AI response causes harm — for example, generating false financial data that a user relied on for a significant decision — we investigate the root cause, update our AI guardrails, and contact the affected user directly.

Service misuse: If AskBiz is used to facilitate fraud or illegal activity, we suspend the account, preserve evidence, and cooperate with law enforcement. We may notify other affected parties where we are legally permitted to do so.

Third-party platform security events: If Shopify, Amazon, or another connected platform suffers a breach that may affect our integration (e.g. their OAuth tokens are compromised), we proactively revoke and regenerate all affected tokens and notify connected users.

Supply chain incidents: If one of our infrastructure providers (Vercel, Supabase, Anthropic) reports a security incident, we assess the impact on AskBiz users and notify accordingly.

After every P1 or P2 incident, AskBiz conducts a written post-incident review within 30 days. The review covers:

• Root cause analysis
• Timeline of events
• What our monitoring did and did not detect
• What we have changed to prevent recurrence
• Any systemic improvements to our security posture

For significant incidents (those affecting more than a small number of users, or involving confirmed data exfiltration), we publish a public summary of the incident and our response. We believe transparency after security incidents builds trust — hiding them erodes it.