SmartAlex Incident Response and Data Breach Notification Notice
1. Purpose and scope
This Incident Response and Data Breach Notification Notice (this "Notice") is issued by THERCSGROUP PTE. LTD., trading as SmartAlex ("SmartAlex", "we", "us", "our"), the operator of the SmartAlex platform, websites, applications, and APIs (the "Services").
This Notice describes, at a high level, how we detect, respond to, and notify customers about security incidents and personal-data breaches affecting the Services. It is a customer-facing statement of our process and our notification commitments. It is not itself the operational runbook: the detailed, step-by-step incident procedures are maintained internally and summarised in section 14 of our Trust and Security Overview.
This Notice should be read together with the documents referenced in section 10. Where a specific contract, the Data Processing Addendum, or the Service Level Agreement sets out different or more specific terms for a given customer, those documents govern to the extent of any conflict.
2. Definitions
In this Notice:
- A "Security Incident" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, data processed in connection with the Services.
- A "Personal Data Breach" means a Security Incident that affects personal data (also referred to as personal information under some laws).
- "Operator" and "processor" mean a party that processes personal data on behalf of, and on the instructions of, another party; "controller" and "responsible party" mean the party that determines the purposes and means of that processing. These terms take the meaning given to them in the applicable data-protection law and in the Data Processing Addendum.
Not every event that triggers an alert is a Security Incident, and not every Security Incident is a Personal Data Breach. Classification is part of the process described in section 3.
3. Our incident-response process
We maintain a documented incident-response process. In summary, and subject to the facts of each case, it follows these stages:
- Detection and reporting. Potential incidents are identified through our monitoring (see section 4) or reported by our team, customers, or third parties, and are logged and routed to the responsible personnel.
- Triage and severity classification. We assess the report and assign a severity level (for example, P1 to P4) based on the likely impact and scope, which drives the response timeline and the people engaged.
- Containment. We take steps intended to limit the scope and impact of the incident, which may include isolating affected components, revoking credentials, or restricting access.
- Investigation and eradication. We work to establish what happened, what data and systems were affected, and to remove the underlying cause.
- Recovery. We restore affected systems and data to normal operation and confirm that the Services are functioning as expected.
- Post-incident review. For significant incidents we conduct a review focused on systemic and root cause and on preventing recurrence, not on assigning individual blame.
The internal runbook that governs these stages in detail is summarised in section 14 of the Trust and Security Overview.
4. Detection and monitoring
We monitor the Services and log relevant events to help us detect anomalies and potential incidents. This may include application, infrastructure, and access logging, alerting, and review. The specific tooling we use is provided by third parties described in general terms in our Subprocessor List; we do not name individual monitoring vendors in this Notice. Further detail on our security controls is set out in the Trust and Security Overview.
5. Notifying customers
Where we become aware of a Personal Data Breach affecting a customer's personal data that we process as operator or processor on that customer's behalf, we will notify the affected customer without undue delay and in line with the timelines set out in the Data Processing Addendum (for example, the seventy-two hour timeframe reflected there).
Our notification is intended to give the customer the information it reasonably needs to meet its own obligations, and will include, to the extent then known and permitted by law:
- a description of the nature of the Personal Data Breach, including, where possible, the categories and approximate number of data subjects and records concerned;
- the likely consequences of the Personal Data Breach;
- the measures we have taken or propose to take to address it and to mitigate its possible adverse effects; and
- a contact point from whom further information can be obtained.
Where all relevant information is not available at once, we may provide it in phases as the investigation progresses. Notifications are directed to the contact details the customer has provided (see section 8), so keeping those current is important.
6. Regulator and data-subject notification
Where we act as operator or processor, the customer is generally the controller or responsible party for the affected personal data. In that role the customer is ordinarily responsible for determining whether, when, and how to notify supervisory authorities or regulators (for example under Article 33 of the GDPR, or under the Protection of Personal Information Act (POPIA), or other applicable law) and for notifying affected individuals. We will provide reasonable assistance and information to help the customer meet those obligations.
Where SmartAlex is itself the controller or responsible party for personal data (for example, data about our own account holders, personnel, or website visitors as described in our Privacy Policy), SmartAlex is responsible for making any notifications required of a controller under applicable law.
7. Availability incidents
Incidents that affect the availability or performance of the Services, rather than the security or confidentiality of data, are handled under our Service Level Agreement. For those incidents we communicate through our status page and, where appropriate, directly to affected customers, and we manage service credits and related remedies in accordance with the Service Level Agreement. An event can qualify as both an availability incident and a Security Incident, in which case it is handled under both this Notice and the Service Level Agreement.
8. Customer responsibilities
Effective incident response is a shared effort. Customers are responsible for:
- keeping their account, security, and notification contact details current so that we can reach the right people quickly;
- promptly reporting any suspected or actual Security Incident, vulnerability, or unauthorised access to security@getsmartalex.com; and
- securing their own credentials, integrations, and configurations, including access management for their users and any keys or tokens they hold.
9. No admission
Investigating, responding to, containing, or notifying in relation to an incident, and the content of any such notification, is not and shall not be construed as an admission of fault, wrongdoing, negligence, or liability by SmartAlex, or as an acknowledgement that any particular legal obligation has been triggered. We act in these matters to protect customers and their data and to meet our commitments.
10. Relationship to other documents
This Notice forms part of the SmartAlex legal framework and should be read together with:
- the Trust and Security Overview, which describes our security programme and contains the incident runbook summary at section 14;
- the Data Processing Addendum, which sets out the binding breach-notification timelines and the parties' data-protection roles and obligations;
- the Service Level Agreement, which governs availability incidents, uptime commitments, and service credits;
- the Privacy Policy, which explains how SmartAlex handles personal data for which it is the controller; and
- the Subprocessor List, which identifies the categories of third parties involved in providing the Services.
In the event of a conflict, a signed agreement with the customer and the Data Processing Addendum take precedence over this Notice with respect to their subject matter.
11. Updates and contact
We may update this Notice from time to time to reflect changes in our process, our Services, or applicable law. The version and effective date below indicate the current version.
To report a security incident or suspected vulnerability, contact security@getsmartalex.com. For questions about how we handle personal data, contact privacy@getsmartalex.com. For legal questions about this Notice, contact legal@getsmartalex.com.
This Notice is issued by THERCSGROUP PTE. LTD. (UEN 202543608D), 160 Robinson Road, #14-04 Singapore Business Federation Center, Singapore 068914, and is governed by the laws of the Republic of Singapore.
12. Version and effective date
This Incident Response and Data Breach Notification Notice is version 1.0 and is effective from 8 July 2026.