Incident Response & Breach Notification Policy

1. Purpose & Security Philosophy

Friendium is committed to maintaining the confidentiality, integrity, and availability of its systems and user data. Despite strong preventive controls, no platform is immune to incidents.

This policy establishes a structured, auditable, and legally aligned framework for responding to incidents in a manner that minimizes harm, ensures transparency where required, and limits liability exposure for Friendium and Nexa-Group.

2. Scope of Covered Incidents

This policy applies to all confirmed or suspected incidents involving:

• Unauthorized access to systems or accounts
• Personal data breaches or exposure
• Credential compromise or account takeover
• Malware, ransomware, or intrusion attempts
• Service outages or infrastructure failures
• Denial-of-service attacks
• Insider threats or misuse of access
• Third-party or supply-chain security incidents

3. Incident Classification

Incidents are categorized based on severity and impact:

• Low: Minimal impact, no data exposure
• Moderate: Limited service or account impact
• High: Data exposure, widespread disruption
• Critical: Large-scale breach, safety or legal risk

4. Detection & Monitoring

Friendium employs continuous monitoring, logging, and alerting systems, including:

• Security information and event monitoring (SIEM)
• Anomaly and behavior detection
• Network and application telemetry
• Threat intelligence feeds
• User and automated reports

5. Incident Response Lifecycle

5.1 Identification

Upon detection, incidents are logged, timestamped, and assigned an initial severity rating.

5.2 Containment

Immediate actions may include:

• Isolating affected systems
• Disabling compromised accounts
• Blocking malicious traffic
• Revoking credentials or tokens

5.3 Investigation

Security teams analyze:

• Root cause and attack vectors
• Scope of affected data or users
• Timeline of events
• Indicators of persistence or lateral movement

5.4 Remediation

Corrective actions may include:

• Patching vulnerabilities
• Hardening configurations
• Resetting credentials
• Improving monitoring controls

6. Data Breach Definition

A data breach is defined as any confirmed or reasonably suspected incident resulting in unauthorized access, disclosure, alteration, or destruction of personal data.

7. User Notification Principles

Friendium will notify affected users when required by law or when the breach poses a material risk to user rights or safety.

Notifications may include:

• Description of the incident
• Types of data involved
• Recommended protective actions
• Steps taken by Friendium

8. Regulatory Notification

Where legally required, Friendium will notify relevant authorities, including:

• Data Protection Authorities (GDPR)
• State regulators (CCPA/CPRA)
• Sector-specific or national cybersecurity bodies

Notifications will be made within statutory timelines where applicable (e.g., 72 hours under GDPR).

9. Law Enforcement Cooperation

Friendium may cooperate with law enforcement agencies when incidents involve criminal activity, threats to life, or significant public harm, subject to legal process and privacy safeguards.

10. Third-Party Incidents

Incidents originating from vendors or partners are assessed under this policy. Friendium may suspend integrations or services until risks are mitigated.

11. Internal Access & Confidentiality

Incident details are shared internally on a need-to-know basis. Unauthorized disclosure by employees or contractors is prohibited and may result in disciplinary action.

12. Post-Incident Review

After resolution, Friendium conducts post-incident reviews to:

• Evaluate response effectiveness
• Identify systemic weaknesses
• Improve policies and controls
• Update training and procedures

13. Recordkeeping & Audit

Incident records are retained for audit, compliance, and legal defense purposes in accordance with data retention requirements.

14. Limitation of Liability

Friendium’s response efforts are undertaken in good faith. To the maximum extent permitted by law, Nexa-Group and Friendium disclaim liability for indirect, incidental, or consequential damages arising from security incidents.

15. Policy Updates

This policy may be updated at any time to reflect evolving threats, regulatory requirements, or operational improvements.

16. Contact

Security Operations: security@friendium.com
Incident Reporting: incident@friendium.com
Legal: legal@friendium.com