Skip to main content
← Back to Trust Center

Bounded Health — Breach Notification Policy

Version: v1.0  |  Effective: February 7, 2026  |  Last reviewed: February 7, 2026

Purpose

This policy describes how Bounded Health, Inc. ("Bounded Health") identifies, responds to, and communicates about security incidents that may affect customer data. Our goal is to provide timely, transparent, and actionable notifications so that customers can take appropriate steps to protect their organizations and the individuals whose data they entrust to us.

What Constitutes a Reportable Incident

Not every security event rises to the level of a breach notification. We distinguish between the following:

  • Security event. Any observable occurrence in our systems that may have security relevance — for example, a failed login attempt or an anomalous traffic pattern. Most security events are routine and do not involve customer data.
  • Security incident. A security event that results in confirmed or reasonably suspected unauthorized access to, disclosure of, or loss of customer data.
  • Reportable breach. A security incident that meets the notification thresholds established by applicable law, regulation, or the customer's contract. This is the category that triggers the notification commitments described below.

Notification Commitments

When Bounded Health confirms a reportable breach, we will:

  1. Initial acknowledgment. Notify affected customers without undue delay after confirmation. Our target is to provide initial acknowledgment within 72 hours of confirming that a reportable breach has occurred, consistent with regulatory expectations under frameworks such as GDPR and HIPAA.

  2. Ongoing updates. Provide follow-up communications as the investigation progresses, particularly when new information materially changes the scope or severity assessment.

  3. Final summary. Deliver a written summary once the investigation is substantially complete. This summary will include the information described in the "Notification Contents" section below.

Response Workflow

Our incident response process follows five phases:

PhaseActivities
1. Detection and triageSecurity monitoring systems flag the anomaly. The on-call security team assesses severity, determines whether customer data may be involved, and opens a formal incident record.
2. ContainmentAffected systems or access paths are isolated to prevent further exposure. Forensic evidence is preserved for investigation.
3. Impact assessmentThe security and legal teams determine the scope of the incident — which customers, data categories, and time windows are affected — and evaluate legal notification obligations.
4. NotificationAffected customers are notified per the commitments above. Where required, regulatory authorities and affected individuals are also notified in accordance with applicable law.
5. Remediation and reviewRoot cause analysis is completed. Corrective measures are implemented to prevent recurrence. A post-incident review is documented internally and shared with affected customers upon request.

Notification Contents

Each breach notification will include, to the extent known at the time of notification:

  • A description of the incident, including the nature of the unauthorized access or disclosure.
  • The categories of personal data involved (for example, account identifiers, health-related data, or authentication credentials).
  • The approximate time window during which the incident occurred.
  • The systems or services affected.
  • A description of the containment and remediation actions taken or planned.
  • Recommended actions that the customer or affected individuals should consider — such as credential rotation, monitoring for suspicious activity, or notifying downstream data subjects.

Contact

To report a suspected security incident or ask questions about this policy, please contact: security@boundedhealth.com

This document is part of the Bounded Health Enterprise Trust Pack.