Breach Notification Policy

PIPEDA: Notification to the Office of the Privacy Commissioner of Canada as soon as feasible, if a risk assessment determines that a real risk of significant harm (RROSH) exists. RecordIQ conducts a RROSH assessment for each incident considering the sensitivity of the information involved, the probability of misuse, and any measures that reduce the risk of harm. Records of the breach maintained for twenty-four (24) months per SOR/2018-64.

HIPAA documentation retention: six (6) years per 45 CFR 164.530(j).

Quebec Law 25: Notification to the Commission d’accès à l’information du Québec (CAI) where a risk assessment determines the breach creates a risk of serious injury. RecordIQ conducts this assessment in accordance with CAI guidance.

This document outlines RecordIQ Software LLC's breach notification policy and procedures. The template below describes how we would communicate with affected parties in the event of a security incident.

1. Incident Overview (Template)

In the event of a security incident, RecordIQ will identify and contain the breach, then notify affected parties as follows. The example below illustrates a hypothetical scenario involving unauthorized access to license administration data.

Important: At no point was any patient health information (PHI) or medical records accessed, as RecordIQ is an offline, locally-operated application. No PHI is ever transmitted to, stored on, or processed by RecordIQ servers.

2. Information Potentially Affected

Customer name

Customer email address

No other personal, financial, or health information was exposed.

3. Actions Taken

Containment initiated immediately upon discovery

Internal investigation and risk assessment initiated immediately

Notification to relevant regulatory authorities as soon as feasible per PIPEDA (s. 10.1); notification to Covered Entity customers within sixty (60) calendar days per HIPAA 45 CFR 164.410 (Business Associate obligation)

Remediation measures implemented, including enhanced access controls, encryption monitoring, and security audit

Documentation maintained for regulatory review, as required by HIPAA, PIPEDA, and Quebec Law 25

4. Recommended Customer Actions

To mitigate any potential risk, we recommend you:

Monitor your email accounts for suspicious activity

Immediately report any unusual activity associated with your RecordIQ account to support@recordiq.app

Follow standard security practices, including updating passwords and enabling multi-factor authentication if applicable

5. Legal and Regulatory Compliance

HIPAA: Notification to Covered Entity customers within sixty (60) calendar days per 45 CFR 164.410 (Business Associate notification obligation). Covered Entity customers are responsible for individual and HHS notification under 45 CFR 164.404 and 164.408.

Note: HIPAA breach notification obligations under 45 CFR Part 164 Subpart D apply only to breaches of unsecured Protected Health Information (PHI). This incident involved license administration data (name and email) only. No PHI was involved. HIPAA breach notification is referenced as a precautionary framework; the primary applicable notification obligations for this type of incident are under PIPEDA, Quebec Law 25, and applicable state breach notification laws.

CCPA/CPRA: Where applicable: notification to affected California residents and to the California Attorney General if more than 500 California residents are affected, as required by Cal. Civ. Code § 1798.82. Note: CCPA breach notification applies to breaches involving name combined with SSN, driver’s license, financial account, medical information, or health insurance information. Name and email alone may not trigger CCPA notification obligations.

Other applicable state and provincial breach notification laws are complied with as required. RecordIQ maintains awareness of breach notification requirements in all jurisdictions where its customers operate.

6. Customer Responsibility and Limitation of Liability

RecordIQ operates offline, locally on your workstation. As such, customers are responsible for the security of locally stored data, including PHI, medical records, and other sensitive files.

RecordIQ’s responsibility is limited to license data stored in our systems. Limitation of liability and indemnification are governed by the applicable End User License Agreement and Business Associate Agreement. RecordIQ does not accept liability for data stored locally on your workstations or for incidents outside our systems.

7. Contact Information

For questions, concerns, or assistance:

Email: support@recordiq.app
Phone: 1-877-217-4501
Mailing Address: 30 N Gould St Ste N, Sheridan, WY 82801 US

RecordIQ is committed to transparency, legal compliance, and the protection of your information. While no PHI or medical records were exposed, we are taking all necessary steps to ensure the security of our systems and to keep you informed.

Sincerely, The RecordIQ Security Team RecordIQ Software LLC

For questions about this document, contact support@recordiq.app.