TradeJournalBack to app

Breach Response Plan

Our public-facing procedure for handling a suspected or confirmed security compromise - POPIA section 22 and the Information Regulator's Guidance Note on Security Compromises.

Last updated: 17 April 2026Governing law: Republic of South Africa

1. Our Commitment

If there are reasonable grounds to believe that your personal information has been accessed or acquired by an unauthorised person, POPIA section 22 requires us to notify the Information Regulator and each affected data subject as soon as reasonably possible after discovery. Our internal target is to notify the Regulator within 72 hours of discovery, unless a shorter period is possible.

2. Six-Step Procedure

StepTarget timeOwnerAction
1. Identify & containWithin 1 hourInformation Officer + Technical ownerIsolate affected systems, revoke credentials, rotate keys, preserve evidence. Open incident record.
2. AssessWithin 24 hoursInformation OfficerDetermine: what happened, what data categories are implicated, how many users are affected, severity, cause.
3. Notify RegulatorAs soon as reasonably possible (target: within 72 hours of discovery)Information OfficerSubmit the Security Compromise Notification (SCN) form to the Information Regulator.
4. Notify data subjectsAs soon as reasonably possible after Regulator notificationInformation OfficerEmail affected users with description, categories of data, steps they can take, steps we have taken, and our contact details. Where email is not possible, use prominent website notice.
5. RemediateWithin 14 daysTechnical ownerFix root cause. Apply patches. Re-issue affected secrets. Document remediation.
6. ReviewWithin 30 daysInformation OfficerPost-incident review. Update this plan and controls. Store incident report in the breach register for minimum 5 years.

3. When Notification May Be Delayed (s22(4))

Notification of data subjects may be delayed only if a public body responsible for the prevention, detection or investigation of offences determines that delay is necessary, or if an information officer of the responsible party determines that notification will impede a criminal investigation. Any delay must be documented in the incident record and reviewed weekly.

4. Notification Templates

Regulator notification (summary fields)

  • Name, address and contact details of Tapnet Solutions (Pty) Ltd.
  • Date and time the security compromise was discovered.
  • Date and time the compromise is believed to have occurred.
  • Nature and extent of the compromise.
  • Description of the personal information involved.
  • Identity (if known) of the person who accessed the personal information.
  • Possible consequences of the compromise for the data subjects and steps taken to limit harm.
  • Number of affected data subjects.
  • Remedial actions taken or planned.
  • Contact details for the Information Officer handling the incident.

Data-subject notification (email template)

Subject: Important - action required regarding your TradeJournal account

“On [date] we discovered a security compromise affecting [category of data, e.g. email addresses, hashed passwords]. We have contained the incident. We are writing to tell you what happened, what data was involved, what you should do now, what we have done, and how to reach us with questions. [Facts.] [Recommended user actions.] [Remediation steps we have taken.] For further information contact privacy@tradejournal.co.za. You may also complain to the Information Regulator.”

5. Breach Register

We maintain an internal breach register recording, for every incident and suspected incident:

  • Incident ID, date discovered, date occurred;
  • Detected by (person / system);
  • Nature, cause and vector;
  • Data categories and number of data subjects affected;
  • Severity rating (low / medium / high / critical);
  • Regulator notification reference and date sent;
  • Data-subject notification date and method;
  • Remediation actions and owner;
  • Lessons learned;
  • Closed date.

Records are retained for a minimum of five years.

6. Operator Breach Handling

If a breach originates at an operator (for example Supabase or Vercel), the operator is contractually required to notify us without undue delay. On receipt of such notice we follow steps 2–6 above as if we had detected the breach ourselves.

7. Training and Testing

The Information Officer walks through this plan at least once a year and files a dated “tabletop exercise” record. Operator-led postmortems are reviewed when published. Any change to contact details or operators must trigger a plan update.

8. How to Report a Suspected Incident

If you believe your TradeJournal account has been compromised, or you have identified a vulnerability, email privacy@tradejournal.co.za. We acknowledge reports within one business day.