1. Purpose of This Policy

This Policy outlines how GoDigital2Achieve Ltd (“GoDitach”, “we”, “our”, “us”) detects, manages, investigates, and reports data breaches and security incidents across all websites, products, platforms, services, and subdomains operated by GoDitach.

Its purpose is to ensure compliance with:

• UK Data Protection Act

• UK GDPR

• EU GDPR (for relevant users)

• CCPA

• Turkish KVKK requirements regarding “personal data security”

2. Scope of This Policy

This Policy applies to all categories of personal data processed through GoDitach services, including:

• account details

• CRM/contact information

• communication logs (email, SMS, WhatsApp metadata)

• review management data

• automation workflows and logs

• integration data

• billing/subscription data

• technical system logs

• user activity records

This Policy covers security events affecting:

• customers

• sub-accounts

• end-users

• any system where GoDitach provides technical hosting

3. Definitions

Data Breach: Any accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to personal data.

Security Incident: Any event that may compromise confidentiality, integrity, or availability of data or systems.

Data Controller: The customer using GoDitach services.

Data Processor: GoDitach, only for technical system-level operations.

4. Responsibilities

GoDitach:

• maintains technical and organizational security measures

• monitors for unauthorized access

• notifies the customer of confirmed breaches

• assists customer investigations within reasonable limits

Customer:

• determines the legal obligations (GDPR/KVKK notification rules)

• notifies affected individuals when legally required

• ensures appropriate consent/legal basis for communications

• secures their own devices, accounts, and third-party integrations

5. Detection of Security Incidents

GoDitach employs monitoring systems that detect:

• suspicious login attempts

• API misuse

• abnormal server activity

• unauthorized access patterns

• service availability problems

• unexpected data exports

• integration misuse

Suspicious events are flagged for internal investigation.

6. Internal Investigation Steps

When an event is detected:

Event is logged.

Security team performs initial assessment.

Severity is categorized as Low, Medium, High, or Critical.

If personal data may be affected, a formal breach investigation begins.

Customer is informed if breach is confirmed.

Containment and remediation actions are initiated.

7. Notification to Customer

If a breach involving customer data is confirmed, GoDitach will notify the customer “without undue delay” and provide:

• nature of the breach

• categories of data affected

• estimated number of data subjects involved

• potential risks

• mitigation steps taken

• recommended actions for the customer

GoDitach does not notify end-users directly; this is the responsibility of the customer (Data Controller).

8. Customer’s Legal Responsibility (GDPR/KVKK/CCPA)

The customer is solely responsible for:

• determining whether the breach must be reported to regulators

• making notifications to affected individuals

• documenting the legal basis and compliance steps

• evaluating the risk level according to their own legal obligations

GoDitach provides technical assistance but does not make legal decisions on behalf of the customer.

9. Containment Measures

Upon detecting a breach, GoDitach may:

• revoke API tokens

• reset authentication keys

• disable compromised integrations

• block IP addresses

• suspend affected accounts

• isolate involved systems

• apply emergency patches

These measures may temporarily affect service functionality.

10. Prevention Measures

GoDitach maintains a range of security controls:

• encryption of data in transit and at rest

• access control and permission restrictions

• multi-factor authentication support

• continuous system monitoring

• secure server infrastructure

• regular vulnerability scans

• restricted employee access

• audit logging

• third-party platform security standards

11. Customer Responsibilities for Prevention

To reduce breach risk, customers must:

• secure their login credentials

• restrict internal user access appropriately

• use MFA where available

• secure their devices

• review third-party integrations

• avoid sharing API keys

• comply with consent and data processing obligations

Failures by the customer may reduce GoDitach’s ability to prevent breaches.

12. Recordkeeping

GoDitach maintains internal logs of:

• detected incidents

• breach investigations

• notifications to customers

• remediation steps

Logs are retained according to the Data Retention & Deletion Policy.

13. Updates to This Policy

GoDitach may update this Policy based on operational, technical, or legal requirements.

continued use of GoDitach services indicates acceptance of changes.