1. Introduction

Quantra, operated by Deoxy Labs ("we," "our," or "us"), is committed to protecting the security and privacy of our customers' data. This Data Breach Notification & Response Policy outlines our procedures for identifying, responding to, and communicating security incidents and data breaches in compliance with applicable laws and regulations, including GDPR (General Data Protection Regulation), CCPA (California Consumer Privacy Act), and other international data protection standards.

This policy applies to all personal data processed by Quantra in the course of providing Virtual Private Server (VPS) hosting, colocation services, and related infrastructure solutions.

2. What Constitutes a Data Breach

A data breach is defined as any security incident that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored, or otherwise processed by Quantra.

2.1 Types of Breaches We Monitor

• Unauthorized Access: Intrusion into customer accounts, administrative systems, or VM instances by unauthorized parties
• Data Exfiltration: Theft or unauthorized transmission of customer data, including credentials, billing information, or VM configurations
• System Compromise: Malware infections, ransomware attacks, or exploitation of vulnerabilities affecting our infrastructure
• Accidental Disclosure: Unintentional exposure of personal data through misconfiguration, human error, or software bugs
• Physical Security Incidents: Unauthorized physical access to data center facilities or server hardware
• Third-Party Breaches: Security incidents affecting our service providers or partners that may impact customer data
• Insider Threats: Unauthorized access or misuse of data by employees, contractors, or other trusted parties

2.2 Severity Classification

We classify breaches based on risk and impact:

• Critical: Large-scale exposure of sensitive personal data (passwords, payment information, SSH keys) affecting multiple customers
• High: Unauthorized access to customer VMs, administrative systems, or exposure of authentication credentials
• Medium: Exposure of non-sensitive account information (email addresses, usernames) or limited VM metadata
• Low: Minor incidents with negligible risk to customer data (e.g., failed intrusion attempts, quickly resolved vulnerabilities)

3. Breach Detection & Monitoring

3.1 Continuous Monitoring Systems

Quantra employs multiple layers of security monitoring to detect potential breaches:

• Intrusion Detection Systems (IDS): Real-time monitoring of network traffic for suspicious patterns and known attack signatures
• Security Information and Event Management (SIEM): Centralized log aggregation and correlation from all infrastructure components
• File Integrity Monitoring: Automated detection of unauthorized changes to critical system files and configurations
• Access Logging: Comprehensive audit trails of all administrative actions, API requests, and customer account access
• Anomaly Detection: Machine learning-based behavioral analysis to identify unusual access patterns or data transfers
• Vulnerability Scanning: Regular automated and manual security assessments of our infrastructure
• Third-Party Security Audits: Annual penetration testing and compliance audits by independent security firms

3.2 Detection Timeframes

Our security team monitors alerts 24/7. Critical incidents trigger immediate notifications to our on-call security personnel. We aim to detect and confirm potential breaches within:

• Critical incidents: Within 15 minutes of occurrence
• High-severity incidents: Within 1 hour
• Medium-severity incidents: Within 4 hours
• Low-severity incidents: Within 24 hours

4. Incident Response Process

4.1 Immediate Response (0-1 Hour)

Upon detection of a potential breach, our security team will:

• Activate the Incident Response Team (IRT) including security engineers, legal counsel, and executive leadership
• Isolate affected systems to prevent further unauthorized access or data loss
• Preserve all relevant logs, system snapshots, and forensic evidence
• Begin preliminary assessment of breach scope, affected data, and impacted customers
• Implement immediate containment measures (blocking IP addresses, disabling compromised accounts, patching vulnerabilities)

4.2 Investigation Phase (1-24 Hours)

• Conduct detailed forensic analysis to determine root cause, attack vector, and extent of compromise
• Identify all affected customers and the specific data exposed or accessed
• Assess legal and regulatory notification obligations based on breach severity and jurisdiction
• Document all findings, actions taken, and timeline of events
• Engage external cybersecurity experts if needed for specialized investigation or remediation

4.3 Remediation & Recovery (24-72 Hours)

• Implement permanent fixes to close security gaps and prevent recurrence
• Restore affected systems from clean backups if necessary
• Reset credentials and deploy additional authentication requirements (e.g., forced password resets, enhanced 2FA)
• Validate system integrity and confirm no persistent threats remain
• Prepare customer communications and notification materials

4.4 Post-Incident Review (Within 7 Days)

• Conduct comprehensive post-mortem analysis with all stakeholders
• Update security controls, monitoring rules, and response procedures based on lessons learned
• Provide detailed incident report to executive leadership and board of directors
• Implement long-term security improvements to prevent similar incidents

5. Customer Notification Procedures

5.1 Notification Timeframes

We are committed to transparent and timely communication:

• GDPR Compliance: Regulatory authorities will be notified within 72 hours of becoming aware of a qualifying breach
• Customer Notification: Affected customers will be notified within 72 hours for high-risk breaches, or as soon as practically possible after investigation confirms impact
• Critical Incidents: For breaches involving active threats or ongoing unauthorized access, we will notify customers within 24 hours
• Public Disclosure: If a breach affects a significant number of customers or involves high-risk data, we will publish a public security advisory on our website and status page

5.2 Notification Channels

Customers will be notified through multiple channels:

• Email: Direct notification to the email address associated with your account
• Dashboard Alert: In-app notification displayed prominently when you log into your Quantra dashboard
• Status Page: Public incident updates posted at status.quantra.deoxylabs.com
• Direct Contact: For critical incidents affecting enterprise customers, we will reach out via phone or designated emergency contact

5.3 Information Included in Notifications

Breach notifications will include:

• Description of the incident and how it occurred
• Date and time the breach was detected
• Categories and approximate volume of personal data affected
• Specific customer accounts or VMs impacted
• Potential consequences and risks to affected customers
• Actions we have taken to contain and remediate the breach
• Recommended actions for customers to protect themselves (e.g., password resets, enabling additional security features)
• Contact information for our security team and support resources
• Timeline for ongoing updates and resolution

6. Regulatory Compliance & Reporting

6.1 GDPR Compliance (EU/EEA Customers)

For customers in the European Union and European Economic Area:

• We will notify the relevant Data Protection Authority (DPA) within 72 hours of becoming aware of a qualifying personal data breach
• Notifications will include all information required under GDPR Article 33, including nature of breach, affected data subjects, consequences, and remedial measures
• If notification cannot be made within 72 hours, we will provide reasons for the delay and submit updates as investigation progresses
• High-risk breaches will result in direct notification to affected individuals without undue delay

6.2 CCPA Compliance (California Residents)

For California residents:

• Breaches involving unencrypted personal information will be reported to the California Attorney General if affecting 500 or more California residents
• Affected individuals will be notified in the most expedient time possible and without unreasonable delay
• Notifications will comply with California Civil Code § 1798.82 requirements

6.3 Other Jurisdictions

We comply with breach notification laws in all jurisdictions where we operate or have customers, including but not limited to: Australia (Notifiable Data Breaches scheme), Canada (PIPEDA), and other international data protection regulations.

7. Your Rights Following a Data Breach

7.1 Right to Information

You have the right to:

• Receive clear, transparent information about any breach affecting your data
• Request additional details about the incident beyond initial notification
• Obtain copies of breach reports and documentation (subject to security and legal constraints)
• Ask questions and receive timely responses from our security team

7.2 Right to Remediation Support

Following a breach, we will provide:

• Account Security Review: Complimentary security audit of your account and VMs
• Enhanced Monitoring: Temporary or permanent upgrades to security monitoring at no additional cost
• Credit Monitoring: For breaches involving financial information, we may offer identity theft protection or credit monitoring services
• Technical Support: Priority access to our security team for incident-related questions and assistance
• Service Credits: Compensation in the form of account credits or refunds, determined on a case-by-case basis

7.3 Right to Terminate Service

If you wish to terminate your Quantra account following a data breach, you may do so without penalty. We will provide full refunds for any prepaid services and assist with data export and migration to another provider.

8. Breach Prevention & Security Measures

8.1 Proactive Security Controls

To minimize the risk of data breaches, Quantra implements:

• Encryption: All data in transit uses TLS 1.3+; sensitive data at rest is encrypted using AES-256
• Zero-Trust Architecture: Every access request is authenticated, authorized, and encrypted regardless of source
• Multi-Factor Authentication (MFA): Required for all customer accounts and administrative access
• Network Segmentation: Customer VMs are isolated from each other and from management infrastructure
• Regular Patching: Automated security updates applied to all infrastructure components within 24 hours of release for critical vulnerabilities
• Access Control: Role-based access control (RBAC) with principle of least privilege for all employees and systems
• Security Training: Mandatory annual security awareness training for all employees and contractors

8.2 Physical Security

• Data centers with 24/7 armed security and biometric access controls
• Surveillance cameras covering all entry points and server areas
• Visitor logs and escort requirements for non-authorized personnel
• Secure hardware disposal procedures including physical destruction of storage media

8.3 Third-Party Risk Management

• Comprehensive vendor security assessments before onboarding any service providers
• Contractual requirements for vendors to maintain equivalent security standards
• Regular audits of third-party security practices and compliance
• Data processing agreements (DPAs) with all processors handling customer data

9. Customer Security Responsibilities

While Quantra implements robust security measures to protect your data, you also play a critical role in maintaining the security of your account and VMs. We encourage customers to:

9.1 Account Security Best Practices

• Use strong, unique passwords for your Quantra account (minimum 12 characters with mixed case, numbers, and symbols)
• Enable and maintain two-factor authentication (2FA) using authenticator apps rather than SMS
• Regularly review account activity logs for unauthorized access attempts
• Never share account credentials or 2FA codes with anyone
• Use password managers to generate and store complex passwords securely

9.2 VM Security Best Practices

• Keep operating systems and software up to date with security patches
• Configure firewalls to restrict access to only necessary ports and IP addresses
• Use SSH key authentication instead of passwords for remote access
• Implement regular backups and test restoration procedures
• Monitor VM logs for suspicious activity or unauthorized access attempts
• Follow least privilege principles when granting access to collaborators

9.3 Reporting Security Concerns

If you discover a security vulnerability in Quantra's systems or suspect unauthorized access to your account, please report it immediately to [email protected]. We take all security reports seriously and will respond within 24 hours.

10. Post-Breach Data Retention

Following a data breach, we retain certain information for legal, regulatory, and security purposes:

• Incident Logs: Forensic evidence, security logs, and investigation documentation retained for minimum 7 years to comply with legal hold and regulatory requirements
• Communications: Customer notifications and correspondence retained per our standard retention schedule (3 years)
• Remediation Records: Documentation of security improvements and control changes implemented in response to breach (retained indefinitely)
• Regulatory Filings: Copies of breach notifications to authorities retained permanently

Customers may request deletion of their personal data even after a breach, subject to our legal obligations to retain certain records for regulatory and litigation purposes.

11. Cybersecurity Insurance & Liability

11.1 Insurance Coverage

Quantra maintains comprehensive cybersecurity insurance covering data breach response costs, regulatory fines, legal expenses, and customer notification expenses. Our coverage includes:

• First-party data breach costs (forensics, notification, credit monitoring)
• Third-party liability claims from affected customers
• Regulatory defense and penalties
• Business interruption losses from security incidents
• Cyber extortion and ransomware response

11.2 Limitation of Liability

Our liability in the event of a data breach is governed by our Terms of Service. While we take every reasonable measure to prevent breaches, customers acknowledge that no system is entirely immune to security incidents. Quantra's liability is limited to the extent permitted by applicable law, as detailed in Section 12 of our Privacy Policy.

12. Continuous Improvement & Policy Updates

12.1 Regular Security Assessments

Quantra conducts:

• Annual Penetration Testing: Independent third-party security firms simulate real-world attacks to identify vulnerabilities
• Quarterly Vulnerability Scans: Automated scanning of all internet-facing systems and internal infrastructure
• Annual Compliance Audits: SOC 2 Type II audits and ISO 27001 certification reviews
• Incident Response Drills: Tabletop exercises and simulated breach scenarios to test our response procedures

12.2 Policy Review and Updates

This Data Breach Policy is reviewed and updated:

• Annually, or more frequently if required by regulatory changes
• Following any significant security incident to incorporate lessons learned
• When new security technologies or best practices emerge
• In response to customer feedback or stakeholder requests

Material changes to this policy will be communicated via email and dashboard notification at least 30 days before taking effect.

13. Contact Information

For questions about this Data Breach Policy, to report a security incident, or to request additional information:

For urgent security matters outside business hours, enterprise customers should use the emergency contact procedures provided in their service agreement.