Incident Response Policy

HuddleSpy LLC ("HuddleSpy", "we", "us") is committed to protecting the security of user data. This Incident Response Policy describes how we detect, respond to, and notify affected parties in the event of a security incident or data breach. This policy is maintained in compliance with Arizona's data breach notification law (A.R.S. § 18-551 et seq.).

A security incident includes any unauthorized access, disclosure, alteration, or destruction of HuddleSpy systems or user data, including but not limited to:

• —Unauthorized access to user accounts or personal information
• —Loss or theft of systems containing user data
• —Ransomware or malicious code affecting production systems
• —Third-party service provider breaches affecting HuddleSpy user data

Upon detecting or being notified of a potential security incident, HuddleSpy will:

• —Immediately isolate affected systems to prevent further unauthorized access
• —Assess the scope and nature of the incident within 24 hours of detection
• —Engage relevant technical personnel and, where appropriate, external security professionals
• —Preserve logs and evidence for investigation
• —Document all response actions taken

Under A.R.S. § 18-551, if a breach of the security of unencrypted computerized personal information of Arizona residents is discovered, HuddleSpy will:

• —Notify affected individuals in the most expedient manner possible and without unreasonable delay, and no later than 45 days after discovery of the breach
• —Provide notification via email to the address on file for each affected user
• —Notify the Arizona Attorney General if the breach affects more than 500 Arizona residents

Breach notifications will include:

• —A description of the nature of the breach
• —The categories of personal information involved
• —The approximate date of the breach (if known)
• —Steps HuddleSpy has taken or is taking to address the breach
• —Steps affected individuals can take to protect themselves
• —Contact information for HuddleSpy support

If a breach originates from a third-party data processor (including Supabase, Sentry, Inngest, or Resend), HuddleSpy will coordinate with the affected processor and notify users in accordance with this policy as soon as reasonably practicable after receiving notification from the processor.

Following containment of any security incident, HuddleSpy will conduct a post-incident review to:

• —Identify root causes
• —Assess whether current security controls are adequate
• —Implement remediation measures
• —Update this policy if warranted

To report a suspected security vulnerability or incident, contact: contact@huddlespy.com. HuddleSpy takes all security reports seriously and will acknowledge receipt within 2 business days.