Skip to main content
Last updated: [August 27, 2025] Squid Academy is committed to maintaining strong technical and organizational measures (TOMs) to protect the personal data we process, and to responding promptly and effectively to any security incidents. This page summarizes the measures outlined in Annex II and Annex V of our Data Processing Addendum in plain language.

1. Technical & Organizational Measures (TOMs)

We use a layered security approach designed to protect data confidentiality, integrity, and availability.

Governance & Access Control

  • Role-based access control (RBAC) and least-privilege principles.
  • Multi-factor authentication (MFA) required for all admin and privileged accounts.
  • Unique credentials for each authorized user; password complexity enforced.
  • Regular access reviews and removal of dormant accounts.

Encryption

  • TLS 1.2+ for all data in transit.
  • AES-256 or equivalent for all data at rest.
  • Encryption key management and regular rotation.

Application Security

  • Secure software development lifecycle (SSDLC) with code reviews and automated scanning.
  • Regular penetration tests and vulnerability assessments.
  • Change management with staging, testing, and rollback procedures.

Network & Infrastructure

  • Segmented networks for production, staging, and development environments.
  • Web application firewall (WAF) and intrusion detection/prevention systems (IDS/IPS).
  • DDoS mitigation in place.

Monitoring & Logging

  • Centralized logging with anomaly detection alerts.
  • Audit logs for administrative actions and exports.
  • Retention of logs for security investigations.

Business Continuity & Disaster Recovery

  • Daily encrypted backups with offsite storage.
  • Disaster recovery plans tested at least annually.
  • Recovery point objective (RPO) and recovery time objective (RTO) defined.

Third-party Risk Management

  • Due diligence on vendors and sub-processors.
  • Binding contractual obligations for data protection and security.

2. Incident Response

We have a defined process for detecting, reporting, and responding to security incidents.

Incident Triggers

  • Detection of unauthorized access, disclosure, loss, alteration, or destruction of personal data.
  • Alerts from security monitoring systems.
  • Reports from employees, customers, or third parties.

Initial Response

  • Immediate containment and isolation of affected systems.
  • Rotation of credentials and revocation of compromised access.
  • Preservation of evidence for investigation.

Notification to Controllers

  • We will notify the affected customer (data controller) without undue delay after becoming aware of a personal data breach.
  • Where GDPR applies, our target is to notify within 72 hours.
  • Initial notice includes:
    • Nature of the incident.
    • Categories and approximate number of data subjects affected.
    • Categories and approximate number of records affected.
    • Likely consequences.
    • Measures taken or proposed to address the incident.

Investigation & Remediation

  • Root cause analysis (RCA).
  • Corrective actions to prevent recurrence.
  • Security posture review and update.

Post-incident Review

  • Lessons learned session with relevant teams.
  • Update to security controls and policies.
  • Customer communication with the final report where applicable.

3. Contact

If you believe your data has been impacted by a security incident involving Squid Academy, contact: [email protected]