Breach Response Plan

1. Introduction

This Data Breach Response Plan sets out the procedures that Tapnet Solutions (Pty) Ltd (Registration No. 2023/135522/07) will follow in the event of a security compromise involving personal information. The plan is designed to ensure a swift, coordinated, and lawful response to any breach, in compliance with Section 22 of the Protection of Personal Information Act 4 of 2013 (POPIA).

This plan applies to tapnet.co.za and all other websites, applications, and digital services operated by Tapnet Solutions (Pty) Ltd.

POPIA Section 22 requires a responsible party to notify the Information Regulator and affected data subjects where there are reasonable grounds to believe that personal information has been accessed or acquired by an unauthorised person. Tapnet is committed to transparency, accountability, and the protection of data subjects' rights. This plan ensures that any security compromise is identified, contained, assessed, and reported as required by law.

2. Definition of a Data Breach

Under POPIA, a “security compromise” means any unauthorised access to, or acquisition of, personal information held by a responsible party or an operator acting on behalf of a responsible party.

A data breach includes, but is not limited to:

Unauthorised access to systems or databases containing personal information
Theft of personal information by internal or external actors
Loss of data or devices containing personal information
Destruction or corruption of personal information
Alteration of personal information without authorisation
Unauthorised disclosure of personal information to third parties

Examples of Security Compromises

Database breach or SQL injection attack exposing user records
Stolen or compromised user credentials
Ransomware attack encrypting or exfiltrating personal information
Accidental exposure of personal data (e.g., misconfigured storage, email sent to wrong recipient)
Phishing attack resulting in disclosure of personal information
Lost or stolen devices (laptops, phones) containing personal information
Operator breach (breach at a third-party service provider processing data on our behalf)

3. Response Team

The breach response team is led by the Information Officer, who has decision-making authority over all aspects of the response, including notification decisions and communication with the Information Regulator.

Information Officer — Team Lead

Name: Wynand de Beer
Role: Coordinate the response, make notification decisions, communicate with the Information Regulator and affected data subjects
Email: wynand@tapnet.co.za
Phone: 079 174 8357

External support may be engaged as needed, including:

Legal counsel specialising in data protection and POPIA compliance
Forensic investigators for technical analysis of the breach

4. Six-Step Response Procedure

The following procedure is activated immediately upon discovery or report of a suspected security compromise.

Identify & Contain

Target: within 1 hour of discovery

Confirm the breach has occurred or is ongoing
Determine scope: what data is affected, how many records, which systems are involved
Immediately contain: revoke compromised credentials, isolate affected systems, block unauthorised access points
Preserve evidence: do not delete logs, take screenshots, document the timeline of events
Activate the response team and notify the Information Officer

Critical: Do not attempt to “clean up” or delete any logs, files, or evidence. Preservation of evidence is essential for investigation and potential legal proceedings.

Assess

Target: within 24 hours

Determine what personal information was compromised (names, emails, phone numbers, financial data, etc.)
Identify affected data subjects (number and categories, e.g., website users, clients)
Assess risk of harm: identity theft, financial loss, reputational damage, physical safety
Determine root cause: how did the breach occur, what vulnerability was exploited
Assess whether notification is required: are there reasonable grounds to believe personal information has been accessed or acquired by an unauthorised person?
Document all findings in writing

Notify Information Regulator

Target: as soon as reasonably possible

Under POPIA Section 22(1), the responsible party must notify the Information Regulator where there are reasonable grounds to believe that personal information has been accessed or acquired by an unauthorised person.

The notification must include:

A description of the breach and the circumstances surrounding it
The categories and approximate number of data subjects affected
A description of the measures taken or proposed to address the compromise
Recommendations for data subjects to mitigate potential adverse effects

Submit to: Information Regulator at enquiries@inforegulator.org.za. Use the Regulator Notification Template provided in Section 5 below.

Notify Affected Data Subjects

Target: as soon as reasonably possible after Regulator notification

Under POPIA Section 22(3), data subjects must be notified of a security compromise. Notification must be made:

By email to affected data subjects, or
By prominent website notice if email notification is not possible

The notification must include:

A description of the breach
What personal information was compromised
Measures taken by Tapnet to address the breach
Recommendations for the data subject (e.g., change passwords, monitor accounts for suspicious activity)
Contact details for the Information Officer

Language: Notifications must be written in plain English, be clear and actionable, and avoid legal jargon. Use the Data Subject Notification Template provided in Section 5 below.

Remediate

Fix the vulnerability that caused the breach
Implement additional security measures to prevent recurrence
Update passwords and credentials as needed across affected systems
Review and update security policies based on lessons learned
Engage a third-party security audit if warranted by the severity of the breach

Document & Review

Target: within 30 days

Complete incident report: timeline, root cause analysis, impact assessment, response actions taken, lessons learned
Update the breach register with full details of the incident
Review and update: security policy, breach response plan, operator agreements
Conduct a post-incident review meeting with all relevant parties
Implement preventive measures to reduce the risk of future incidents

5. Notification Templates

5a. Information Regulator Notification Template

Use the following template when notifying the Information Regulator of a security compromise:

To: Information Regulator (enquiries@inforegulator.org.za) From: Wynand de Beer, Information Officer, Tapnet Solutions (Pty) Ltd Date: [Date] Subject: Notification of Security Compromise, POPIA Section 22 Dear Information Regulator, In terms of Section 22(1) of the Protection of Personal Information Act 4 of 2013, I hereby notify you of a security compromise affecting personal information processed by Tapnet Solutions (Pty) Ltd. 1. Description of the incident: [Description] 2. Date/time of discovery: [Date/Time] 3. Date/time breach occurred (if known): [Date/Time] 4. Categories of data subjects affected: [e.g., website users, clients] 5. Approximate number of data subjects: [Number] 6. Categories of personal information compromised: [e.g., names, email addresses, phone numbers] 7. Possible consequences of the compromise: [Description] 8. Measures taken to address the compromise: [Description] 9. Measures taken to mitigate adverse effects: [Description] 10. Whether data subjects have been notified: [Yes/No, if yes: method and date] 11. Recommendations for data subjects: [Description] Information Officer: Wynand de Beer Contact: wynand@tapnet.co.za | 079 174 8357 Address: 594 Bombani Street, Elarduspark, Gauteng, 0181

5b. Data Subject Notification Template

Use the following template when notifying affected data subjects:

Subject: Important: Security Incident Affecting Your Personal Information Dear [Name/Valued User], We are writing to inform you of a security incident that may have affected your personal information held by Tapnet Solutions (Pty) Ltd. What happened: [Brief description] When: [Date] What information was affected: [List] What we are doing: [Actions taken] What you should do: [Recommendations, e.g., change passwords, monitor accounts] We sincerely apologize for this incident. We are committed to protecting your personal information and have taken immediate steps to prevent recurrence. If you have questions or concerns, contact our Information Officer: Email: wynand@tapnet.co.za Phone: 079 174 8357 You also have the right to lodge a complaint with the Information Regulator: Email: enquiries@inforegulator.org.za Website: https://inforegulator.org.za

6. Delay Conditions

Under POPIA Section 22(4), notification to data subjects may be delayed only if a law enforcement agency or the Information Regulator determines that notification will impede a criminal investigation.

Any delay must be formally approved by the relevant authority (law enforcement or Information Regulator)
Notification must proceed as soon as the restriction is lifted
The decision to delay and the reasons for it must be documented in the breach register

Note: Tapnet may not unilaterally decide to delay notification. A delay is only permissible where explicitly directed by a law enforcement agency or the Information Regulator.

7. Third-Party / Operator Breaches

Tapnet engages third-party operators (including Vercel, Neon, Google, and OpenAI) to process personal information on our behalf. In the event of a breach at an operator:

Operators are contractually required to notify Tapnet immediately upon discovering a breach affecting personal information processed on our behalf
Tapnet retains responsibility for notification to the Information Regulator and affected data subjects
Operator breaches are handled through the same six-step response procedure described in Section 4
Operator compliance with breach notification obligations is reviewed quarterly

Responsibility: Even where the breach occurs at an operator, Tapnet as the responsible party remains accountable for compliance with POPIA Section 22.

8. Breach Register

All security incidents and breaches are recorded in a breach register maintained by the Information Officer. The register includes the following for each incident:

Date and time of the incident
Description of the breach and systems affected
Categories and volume of personal information affected
Actions taken to contain and remediate the breach
Notifications made (to Regulator and data subjects, including dates and methods)
Lessons learned and preventive measures implemented

The breach register is available for inspection by the Information Regulator upon request.

9. Training and Awareness

Tapnet ensures that all staff are equipped to recognise and respond to security incidents:

All staff are made aware of breach identification indicators (e.g., unusual system activity, unauthorised access attempts, data anomalies)
Annual breach response drills are conducted to test the effectiveness of this plan
Training is updated whenever this plan is revised or after a breach incident

10. Review

This Breach Response Plan is:

Reviewed annually to ensure it remains current and effective
Reviewed after every breach incident to incorporate lessons learned
Tested through tabletop exercises to validate that the response procedure works in practice

Contact Details

For questions about this Breach Response Plan, or to report a suspected security incident, contact our Information Officer:

Information Officer: Wynand de Beer

Company: Tapnet Solutions (Pty) Ltd
Registration No: 2023/135522/07
Email: wynand@tapnet.co.za
Phone: 079 174 8357
Address: 594 Bombani Street, Elarduspark, Gauteng, 0181, South Africa

South African Information Regulator:

Email: enquiries@inforegulator.org.za
Website: https://inforegulator.org.za
Complaints: complaints.IR@justice.gov.za