Security Incident Response & Notification
Last Updated: May 29, 2026
This page describes IntentFlo's general approach to responding to Security Incidents affecting
Customer Data. It is for informational purposes only and does not modify the
Terms of Service or
Data Processing Addendum (DPA).
Where there is a conflict between this page and the DPA, the DPA controls.
Section 1 — Reporting a Security Concern
To report a suspected security vulnerability or Security Incident involving the IntentFlo
Services, email: info@intentflo.com
Please include, where available:
- Affected account or customer identifier
- Approximate timeframe the issue was observed
- Description of the suspected vulnerability or incident
- Any supporting evidence or steps to reproduce (for vulnerability reports)
IntentFlo will acknowledge receipt and investigate promptly.
Section 2 — Definition of "Security Incident"
A "Security Incident" generally means a confirmed breach
of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized
disclosure of, or access to Customer Data processed by IntentFlo in connection with the Services.
The following are generally not considered Security Incidents
under IntentFlo's DPA, though IntentFlo may still provide reasonable cooperation:
- Incidents caused solely by Customer's own systems, user credentials, or internal controls
- Unauthorized activity within Customer's connected advertising platform accounts (e.g., Meta,
Google, TikTok) that is outside IntentFlo's control
- Incidents involving third-party platforms that receive data at Customer's direction under
their own terms and policies
Section 3 — Response Process
When IntentFlo becomes aware of a suspected Security Incident, it generally follows this process:
-
1
Triage & Containment
Assess severity, classify the incident, and take immediate steps to contain risk —
including revoking credentials, restricting access, or applying mitigations as appropriate.
-
2
Investigation
Determine the scope, affected systems and data, and the likely root cause of the incident.
-
3
Remediation
Implement corrective measures to resolve the issue and reduce the risk of recurrence.
-
4
Documentation
Record incident details, timeline, and actions taken, consistent with operational and
legal requirements.
-
5
Post-Incident Review
Review the incident for systemic improvements to controls or processes where applicable.
Section 4 — Customer Notification
If a confirmed Security Incident involves Customer Data processed by IntentFlo, IntentFlo
will notify affected Customer(s) without undue delay after confirmation, consistent with the
DPA and applicable law.
Notification will include, to the extent reasonably available at the time of notice:
- A description of the nature of the incident
- The categories and approximate volume of data involved
- The likely consequences of the incident
- Steps taken or planned to mitigate and remediate the incident
- Recommended actions Customer can take to protect itself or its data subjects, if applicable
Where information is not yet available at the time of initial notice, IntentFlo will provide
updates as the investigation progresses.
Section 5 — Law Enforcement and Legal Constraints
IntentFlo may delay or limit the content of a customer notification if required by applicable
law, court order, or the direction of a law enforcement or regulatory authority. In such cases,
IntentFlo will use commercially reasonable efforts to provide notice consistent with legal
constraints and will notify Customer as soon as the legal restriction is lifted, to the extent
permitted.
Section 6 — Customer Responsibilities
Customers are responsible for:
- Maintaining secure credentials and access controls for all users of their IntentFlo account
- Ensuring secure configuration of connected third-party systems and advertising platforms
- Promptly notifying IntentFlo at info@intentflo.com
of any suspected unauthorized access involving Customer accounts, credentials, or integrations
- Complying with applicable law regarding notification of data subjects or regulators
in connection with Customer's own data processing activities