INCIDENT RESPONSE & BREACH NOTIFICATION SUMMARY

Effective Date: 2026

Operated by
HOODS HUB PRIVATE LIMITED
Chennai, Tamil Nadu, India

WhitePanther™ (“WhitePanther”, “we”, “us”) maintains a structured Incident Response Framework aligned with ISO/IEC 27001 information security incident management principles.

This document provides a high-level overview of how we detect, assess, contain, investigate, and notify security incidents affecting our platform.

1. INCIDENT RESPONSE GOVERNANCE

WhitePanther maintains documented incident management procedures as part of its Information Security Management System (ISMS).

Our framework includes:

• Defined incident classification criteria
• Escalation procedures
• Assigned response responsibilities
• Communication protocols
• Evidence preservation controls
• Post-incident review processes

Incident response is coordinated by designated internal personnel with appropriate authority.

2. OBJECTIVES OF INCIDENT RESPONSE

Our incident response program is designed to:

• Detect potential security events promptly
• Protect Customer Personal Data
• Contain and mitigate threats efficiently
• Restore system integrity and availability
• Comply with regulatory obligations
• Communicate transparently where required
• Strengthen controls through continuous improvement

3. INCIDENT DETECTION & IDENTIFICATION

Potential security events may be identified through:

• System monitoring and alerting mechanisms
• Security log analysis
• Automated anomaly detection
• Internal audits or reviews
• Sub-Processor notifications
• Customer or third-party reports

WhitePanther maintains monitoring controls proportionate to system risk and data sensitivity.

4. INCIDENT CLASSIFICATION

When an event is detected, it is assessed and classified based on:

• Nature of the incident
• Systems or services affected
• Data categories involved
• Scope and scale of impact
• Risk severity
• Regulatory reporting implications

Only confirmed incidents involving unauthorized access, disclosure, alteration, or destruction of Personal Data are classified as Personal Data Breaches.

5. CONTAINMENT & MITIGATION

Upon confirmation of a security incident, WhitePanther may implement actions such as:

• Restricting or suspending access
• Revoking or rotating credentials
• Disabling affected integrations
• Isolating impacted systems
• Applying security patches or configuration fixes
• Engaging relevant Sub-Processors

Where applicable, coordination may occur with:

• Google LLC
• Razorpay Software Private Limited
• PhonePe Private Limited

Mitigation measures are proportionate to the severity of the incident.

6. INVESTIGATION & EVIDENCE HANDLING

WhitePanther conducts structured investigations that may include:

• Review of audit logs
• Forensic analysis (where necessary)
• Timeline reconstruction
• Impact and scope assessment
• Identification of root cause

Evidence is preserved in accordance with internal security procedures to support regulatory or legal requirements where applicable.

Investigations are handled confidentially and on a need-to-know basis.

7. BREACH NOTIFICATION

If a confirmed Personal Data Breach affects Customer-managed data stored within WhitePanther systems:

WhitePanther will:

• Notify the affected Customer without undue delay
• Provide available details including:
  • Nature of the breach
  • Categories of data involved
  • Known or likely consequences
  • Mitigation steps taken or proposed

Where required under applicable law (including GDPR or Indian data protection regulations), Customers remain responsible for notifying regulatory authorities and affected data subjects, unless otherwise agreed in writing.

WhitePanther will reasonably cooperate in supporting such notifications.

8. CLOUD PROVIDER & THIRD-PARTY INCIDENTS

WhitePanther integrates with third-party providers, including cloud and payment processors.

Important Clarification:

• Email content stored in Gmail remains under the Customer’s Google account.
• Files stored in Google Drive remain under Customer-controlled storage.
• Payment credentials are processed and tokenized by regulated payment processors.

If an incident originates from a third-party provider’s infrastructure:

• WhitePanther relies on official notifications from that provider.
• Relevant information will be communicated to affected Customers as appropriate.
• WhitePanther is not responsible for independent third-party infrastructure failures.

9. BUSINESS CONTINUITY & RECOVERY

WhitePanther maintains business continuity and disaster recovery practices aligned with ISO 27001 principles, including:

• Backup mechanisms for platform-managed data
• Service restoration procedures
• System resilience planning

Cloud-provider–hosted content remains subject to the respective provider’s backup and recovery mechanisms.

While safeguards are implemented, no system can guarantee absolute prevention of disruption.

10. CUSTOMER RESPONSIBILITIES

Security is a shared responsibility.

Customers are responsible for:

• Protecting account credentials
• Enabling secure authentication practices
• Managing administrator privileges
• Reviewing user permissions regularly
• Securing endpoint devices
• Configuring third-party storage permissions appropriately

Incidents resulting from compromised user credentials, misconfiguration, or endpoint compromise may not constitute a platform-level security failure.

11. POST-INCIDENT REVIEW & CONTINUOUS IMPROVEMENT

Following significant incidents, WhitePanther conducts a post-incident review to:

• Identify root causes
• Evaluate control effectiveness
• Update policies and procedures
• Strengthen monitoring mechanisms
• Improve response readiness

Security practices evolve as part of ongoing risk management and regulatory alignment.

12. REPORTING SECURITY CONCERNS

Customers and security researchers may report suspected vulnerabilities or security concerns to:

customersupport@whitepanther.email

Reports should include sufficient detail to enable investigation.

WhitePanther supports responsible disclosure practices.

13. LIMITATION & DISCLAIMER

This Incident Response Summary:

• Is provided for transparency purposes
• Reflects WhitePanther’s internal security framework
• Does not constitute a contractual security guarantee
• Does not create liability beyond that defined in the Master Terms of Service and DPA