Incident & Breach Notification Policy
version 2026-06-24 · effective 2026-06-24
This page is maintained by Acorn & Orbit (a product of ECHO Technologies). It is written to be accurate and conservative but is not legal advice. For your specific situation please consult a qualified attorney.
What counts as a security compromise
Unauthorised access to, loss of, alteration of, or disclosure of personal information processed by A&O. POPIA s22 calls this a "security compromise"; GDPR calls it a "personal data breach".
What we do
- Contain the incident and stop the cause.
- Investigate scope: what data, whose data, how many records.
- Notify the affected School ("Responsible Party") without undue delay, with a target of within 72 hours of confirming the compromise.
- Provide a written report covering: nature of the compromise, categories and approximate number of data subjects, likely consequences, measures taken, and contact for further information.
- Support the School in any regulator notification (Information Regulator / ICO / DPA) and, where applicable, data-subject notification.
- Conduct a post-incident review and apply remediations.
Direct data-subject notification
Where A&O is the Responsible Party (e.g. for our own platform accounts), we will notify affected data subjects in a manner reasonably calculated to reach them, by email and/or in-app banner.
Contact
Security reports: security@investechotech.com.
Questions? Email legal@investechotech.com.