This Synap Data Breach Management Policy accompanies the Synap Subscription Terms of Service, available at https://synap.ac/terms or a successor URL (the "Agreement") entered into between you ("Customer") and Synap.

Overview

Synap is commited to ensuring that all data we process - on behalf of our customers and their end users - is managed appropriately, in accordance with industry best practices, and in compliance with the General Data Protection Regulation (GDPR), the Data Protection Act 2018 (DPA 2018) (collectively referred to as "Data Protection Legislation").

Every care is taken to protect personal data and to avoid a breach of such data. This policy outlines the measures Synap takes in response to an incident where data has been processed or disclosed in an unauthorised manner, or where there has been accidental loss, destruction or damage to personal data.

Synap employees are made aware of this document and receive training on how to handle personal data and ensure that they are doing so in a way that maintains a high level of security.

Scope

This document outlines the measures Synap will take in response to a breach of Customer Data - where Customer Data means, any data belonging to a Synap Customer or their End Users. For the avoidance of doubt, this definition includes both 'content' that our Customers create and store on Synap (such as test questions and other e-learning material), and personal data, such as names and email addresses.

Unless otherwise specified, the phrase 'data' or 'customer data' refers to both content data and personal data.

This document outlines Synap's approach to data breaches - it is not a comprehensive overview of the security measures we have in place to prevent breaches in the first place. Please refer to our Security Policy for more information about these measures.

Detecting & Reporting Incidents and Breaches

All Customer Data processed by Synap is encrypted, both in-transit and at-rest, and is stored on Amazon Web Services (AWS) infrastructure, with several layers of security to prevent and detect unauthorised access. For a more detailed overview of these measures, please refer to our Security Policy.

Customer Data is only handled by authorised Synap Representatives, who are directly involved in a particular customer's account. Synap Representatives who are handling Customer Data receive training on how to do so securely, and how to identify and respond to potential data breaches.

In the event of a suspected - or 'near miss' breach - whether reported via automated tools, or by a Synap Representative, or by a Synap Customer - Synap will launch a priority investigation to confirm or exclude the breach. A senior manager from Synap - and a representative from the Customer's organisation should be informed as soon as possible. If the breach is or suspected to be 'in progress', then a senior engineer from Synap should be contacted immediately with a view to closing the source of the breach as soon as possible.

An initial assessment of the suspected breach should be performed and communicated with the Customer. This assessment should include the following information:

• Summary of the suspected incident - when did it happen, what is the suspected nature of the breach (accidental loss, malicious intent etc), and what data was involved.

• To what extent can we confirm whether the breach did occur? If we cannot confirm it, what further investigations are necessary?

• Is the breach still occurring, and if so what immediate steps are needed to stop it?

• The nature of the data in question - e.g. is it personally identifiable data, e-learning material. If data is personally identifiable, then who are the people who have been affected, and what are the potential harms?

• If the breach is an accidental loss, what are the recovery options? (time of latest backup etc)

• If the breach is malicious, is it possible or likely that an unauthorised individual now has access to unencrypted Customer Data? What are the potential implications of this and how can they be minimised

• Is there an obligation to report the breach to the UK Information Commissioner's Office (ICO)?

Step 1: Containment and Recovery

1. The Data Protection Manager will ascertain the severity of the breach, whether any personal data is involved and whether the breach is still occurring.

2. If the breach is still occurring, the Data Protection Manager will establish what steps need to be taken immediately to minimise the effect of the breach and contain the breach from further data loss (e.g. restricting access to systems, closing down a system, encryption key rotation).

3. The Data Protection Manager will consider and implement appropriate steps required to recover any data loss where possible and limit damage caused (e.g. use of backups to restore data; changing passwords etc.)

4. The Data Protection Manager will consult with a Synap Director to determine if the severity and likely impact of the breach deems it necessary to inform the ICO. At the same time, depending on the nature of the breach, the Data Protection Manager may seek expert or legal advice and/or the Police if it is believed that illegal activity has occurred or likely to occur.

5. Where a significant breach has occurred, the Data Protection Manager will inform the ICO within 72 hours of the discovery of the breach.

6. The decision taken as to the reasons why a data breach is either reported or not reported is documented by the Data Protection Manager.

7. All the key actions and decisions are fully documented and logged in our Incident Management Log.

Assessment of Risk

Further actions may be needed beyond immediate containment of the data breach. A further assessment of the risks associated with the breach should be undertaken to identify whether any potential adverse consequences for individuals are likely to occur and the seriousness of these consequences. The Data Protection Manager will consider the points arising from the following questions:

1. What type and volume of data is involved?

2. How sensitive is the data? Could the data breach lead to distress, financial or even physical harm?

3. What events have led to the data breach? What has happened to the data?

4. Has the data been unofficially disclosed, lost or stolen? Were preventions in place to prevent access/misuse? (e.g. encryption)

5. How many individuals are affected by the data breach?

6. Who are the individuals whose data has been compromised?

7. What could the data tell a third party about the individual? Could it be misused regardless of what has happened to the data?

8. What actual/potential harm could come to those individuals? E.g. physical safety; emotional wellbeing; reputation; finances; identity theft; one or more of these and other private aspects to their life

9. Are there wider consequences to consider?

10. Are there others that might advise on risks/courses of action?

Step 3: Evaluation and Response

When the response to a data breach has reached a conclusion, the Data Protection Manager will undertake a full review of both the causes of the breach and the effectiveness of the response. If through the review, systematic or ongoing problems associated with weaknesses in internal processes or security measures have been identified as a cause of the data breach, then appropriate action plans will be drafted, actioned and monitored to rectify any issues and implement recommendations for improvements.

Implementation of these Procedures

The Data Protection Manager will ensure that staff are aware of these procedures for reporting and managing data breaches. Data Protection training for all staff is mandatory, including new employees and all staff will undertake refresher training annually. If staff have any queries or questions relating to these procedures, they should discuss this with the Data Protection Manager.