Data Breach Notification Policy
Maus-Tec LLC, doing business as Maus-Tec Electronics
Our Commitment
Maus-Tec is committed to protecting the personal information of our customers, creators, and users. If a security incident results in unauthorized access to personal data, we will notify affected individuals promptly, honestly, and with actionable information.
This policy applies to all Maus-Tec services, including our storefront (maustec.io), Maus-Hub, Maus-Link, OTA update services, and any future services operated by Maus-Tec LLC.
1. What Constitutes a Breach
A data breach is any confirmed unauthorized access to, acquisition of, or disclosure of personal information that compromises the security, confidentiality, or integrity of that information.
Includes:
- Unauthorized access to user accounts or databases
- Exposure of personal information (names, email addresses, mailing addresses, payment information) due to a security vulnerability
- Theft or loss of devices or media containing unencrypted personal data
- Unauthorized access by a third-party service provider to data we shared with them
- Accidental public exposure of personal data (e.g., misconfigured storage, leaked backups)
Does NOT Include:
- Unsuccessful attack attempts that did not result in data access
- Authorized security testing or vulnerability research
- Access to data that was already publicly available
- Password reset requests or failed login attempts
2. Notification Timeline
2.1 Our Commitment
Maus-Tec will notify affected individuals within 72 hours of confirming a data breach, consistent with GDPR requirements and Illinois data breach notification law (815 ILCS 530/).
2.2 Timeline Breakdown
| Phase | Timeframe | Action |
|---|---|---|
| Detection | Ongoing | Automated monitoring and logging of all services |
| Confirmation | As soon as possible | Determine scope and nature of the incident |
| Containment | Immediately upon confirmation | Stop ongoing unauthorized access |
| Assessment | Within 24 hours | Determine what data was affected and who is impacted |
| Notification | Within 72 hours of confirmation | Notify affected individuals |
| Regulatory Notification | Within 72 hours | Notify relevant data protection authorities (GDPR, state AGs) |
| Follow-Up | Ongoing | Provide updates as investigation continues |
2.3 Delayed Notification
Notification may be delayed beyond 72 hours only if:
- Law enforcement requests a delay to avoid compromising a criminal investigation (with documentation of the request)
- The delay is necessary to determine the scope of the breach and identify affected individuals
If notification is delayed, we will explain the reason for the delay in the notification.
3. Who We Notify
3.1 Affected Individuals
Every person whose personal information was compromised will receive direct notification via:
- Email to the email address on file
- Platform notification (if the individual has an active account)
- Postal mail if email is unavailable or the breach involves mailing address data
3.2 Regulatory Authorities
We will notify the following authorities as required:
| Authority | When Required | Timeframe |
|---|---|---|
| EU Data Protection Authorities | If EU residents affected (GDPR Art. 33) | Within 72 hours |
| Illinois Attorney General | If Illinois residents affected (815 ILCS 530/) | Without unreasonable delay |
| Other US State AGs | Per state-specific breach notification laws | Per state requirements |
| Payment processor (Stripe) | If payment data is involved | Immediately |
3.3 Service Providers
If the breach involves data shared with or processed by third-party service providers, we will notify those providers so they can take appropriate action on their end.
4. What the Notification Will Include
Every breach notification will include, at minimum:
- What happened — A plain-language description of the incident
- When it happened — The date or date range of the breach
- What information was involved — Specific types of data that were compromised (e.g., email addresses, mailing addresses, purchase history)
- What we are doing — Steps we have taken and are taking to contain the breach and prevent recurrence
- What you can do — Actionable steps you can take to protect yourself (e.g., change passwords, monitor accounts, enable 2FA)
- How to contact us — Direct contact information for questions
We will not hide behind vague language. If we know the specific data that was compromised, we will tell you exactly what it was.
5. What We Will NOT Do
- We will not attempt to conceal or downplay a breach
- We will not delay notification beyond what is legally required
- We will not blame users for a breach caused by our systems
- We will not require users to sign waivers or release claims as a condition of receiving breach information
- We will not use a breach notification as a marketing opportunity
6. Remediation
Depending on the nature and severity of the breach, Maus-Tec will provide appropriate remediation, which may include:
- Forced password resets for affected accounts
- Session invalidation across all devices
- Credit monitoring services (if financial data is involved)
- Identity theft protection services (if government ID data is involved)
- Replacement of compromised API keys or access tokens
- Free support for affected users to secure their accounts
7. Prevention
Maus-Tec takes the following measures to prevent breaches:
- Encryption at rest and in transit for all personal data
- Access controls limiting who can access personal data to those with a business need
- Logging and monitoring of all access to systems containing personal data
- Regular security reviews of our infrastructure and applications
- Dependency monitoring for known vulnerabilities in software we use
- Minimal data collection — we collect only the data necessary to operate our services (see our Privacy Policy)
8. Incident Response Team
Maus-Tec’s incident response is led by the company’s technical leadership. For a company of our size, this means the founder and senior technical staff are directly involved in all breach assessment and response decisions.
9. Post-Incident Review
After every confirmed breach, we will:
- Conduct a root cause analysis
- Implement corrective measures to prevent recurrence
- Update our security practices and this policy as needed
- Publish a post-incident summary (with personal details redacted) within 30 days of resolution
10. Legal Requirements
This policy is designed to comply with:
- GDPR (Articles 33 and 34) — 72-hour notification to supervisory authority, notification to affected individuals without undue delay
- Illinois Personal Information Protection Act (815 ILCS 530/) — Notification to Illinois residents and the Illinois Attorney General
- California Consumer Privacy Act (CCPA/CPRA) — Notification to California residents
- Other US state breach notification laws — We monitor and comply with the notification requirements of all US states where our customers reside
Contact
To report a security vulnerability or suspected breach:
Email: info@maus-tec.com Subject line: Security Incident Report
We take all reports seriously and will acknowledge receipt within 24 hours.