Security Policy

Breach Notification Policy

Last updated: March 2026 5000fish, Inc.

This policy describes how 5000fish, Inc. detects, assesses, and responds to personal data breaches affecting DashboardFox, and how we notify customers and regulators where required. It applies to our cloud-hosted service and reflects our obligations under GDPR (EU and UK), CCPA, HIPAA (where a Business Associate Agreement is in place), and other applicable laws.

What Constitutes a Breach

A personal data breach is any confirmed security incident that results in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data that we process or store on behalf of our customers.

Not every security incident constitutes a reportable breach. We assess each incident against the following criteria before determining notification obligations:

  • Whether personal data was actually accessed or exfiltrated, or only potentially exposed
  • The nature and sensitivity of the data involved
  • The number of individuals likely affected
  • The likely consequences for affected individuals
  • Whether the data was encrypted at the time of the incident

Our Response Process

Upon detecting or being notified of a potential security incident, we follow a structured response process:

  • Detection and triage — Confirm whether the incident involves personal data and assess the scope and severity.
  • Containment — Take immediate steps to stop ongoing exposure and prevent further access.
  • Investigation — Determine what data was affected, how access occurred, and which customers and individuals are impacted.
  • Notification — Notify affected customers and, where required, regulators within the timeframes described below.
  • Remediation — Implement fixes, update controls, and document the incident and our response.

Notification Timelines

Our notification commitments by regulatory framework:

EU GDPR — Supervisory Authority
Within 72 hours of confirmed breach
UK GDPR — ICO
Within 72 hours of confirmed breach
Affected customers
Without undue delay — target 72 hours
HIPAA — Affected parties
Within 60 days of discovery
HIPAA — HHS notification
Within 60 days of discovery
US state laws (CCPA / other)
As required by applicable state law
The 72-hour clock starts from the point at which we have reasonable certainty that a breach has occurred — not from initial detection of a suspicious event. We will not delay notification to complete a full investigation where we have confirmed personal data was involved.

What We Will Tell You

When notifying affected customers of a confirmed breach, we will provide — to the extent known at the time of notification — the following information:

  • A description of the nature of the breach
  • The categories and approximate volume of personal data and individuals affected
  • The name and contact details of our data protection contact
  • A description of the likely consequences of the breach
  • The measures we have taken or propose to take to address the breach, including steps to mitigate its effects
  • Recommended steps you should take to protect your users and comply with your own notification obligations

Where all information is not yet available at the time of initial notification, we will provide it in phases as the investigation progresses.

Your Notification Obligations

DashboardFox operates as a data processor on your behalf. Where you are a data controller, you may have independent obligations to notify your own users or regulators following a breach. Our notification to you is intended to give you the information you need to fulfil those obligations within your own required timeframes.

If you have entered into a Business Associate Agreement (BAA) with us for HIPAA-covered data, our HIPAA breach notification obligations are governed by that agreement and applicable law.

Data Architecture and Breach Scope

DashboardFox's architecture significantly limits the scope of any potential breach. Each customer workspace runs in its own dedicated, isolated database — a breach affecting one customer's environment does not expose any other customer's data. We never store raw payment card data. Live database connections are never cached or retained.

Where a breach is limited to a single customer's isolated environment, our notification will be targeted to that customer only.

Reporting a Suspected Breach to Us

If you discover or suspect a security incident affecting your DashboardFox instance, please contact us immediately:

  • Email team@dashboardfox.com with subject line [Security]
  • Include as much detail as possible — what you observed, when, and any affected URLs or accounts

For responsible disclosure of vulnerabilities in our systems, see our Vulnerability Disclosure Policy.

Sub-Processor Breaches

Where a breach originates at a sub-processor (a third-party service we use to deliver DashboardFox), we will notify you as soon as we are notified by that sub-processor and have confirmed the impact to your data. Our current list of sub-processors is published at dashboardfox.com/legal/subprocessors/.

To report a suspected breach or security incident:

team@dashboardfox.com — use subject line [Security]
Early Access — 90 Days Free

Built lean. Priced fairly. Supported by humans.

Full access to all features. No credit card required.

Start Free Trial Have questions? Let's talk

Prefer no subscriptions & full control? Self-hosted from $4,995 one-time →

We'll notify you before Early Access ends

25+ years building BI tools Support from the team that builds it Available in US & EU regions
DashboardFox mascot