Personal Data Breach Response Procedure

Last updated: February 18, 2026

This procedure defines how PlayKorte handles potential or confirmed personal data breaches under Republic Act No. 10173 (Data Privacy Act of 2012) and NPC Circular 16-03.

1. Scope and Objective

Apply this procedure to all PlayKorte systems that process personal data (web app, dashboard, API, database, storage, and integrations).
Contain and remediate incidents quickly.
Meet legal notification deadlines for notifiable personal data breaches.
Preserve incident evidence for legal, technical, and regulatory review.

2. Breach Intake and Classification

Trigger this runbook immediately when any of the following occurs:

Unauthorized access to personal data.
Accidental disclosure, deletion, or corruption of personal data.
Loss or compromise of credentials, tokens, backups, or storage objects containing personal data.
Third-party processor notice that PlayKorte data may have been exposed.

Initial severity:

Critical: Active exposure of sensitive personal data, broad account compromise, or ongoing unauthorized access.
High: Confirmed exposure with contained access.
Medium: Limited exposure risk with no current evidence of misuse.
Low: Security event with no confirmed personal data impact.

3. Roles and Ownership

Incident Commander: Engineering lead on call. Owns technical triage, containment, and timeline tracking.
Data Protection Contact: support@playkorte.com (until a dedicated DPO is appointed). Owns regulatory assessment and notification approvals.
Communications Owner: Support lead. Owns affected-user notices and support scripts.
Recorder: Assigned engineer. Maintains an incident log with timestamps, decisions, and evidence links.

No step in this procedure should wait for perfect certainty if delay risks missing the seventy-two (72) hour deadline.

4. Timeline Requirements

Treat T0 as the time PlayKorte becomes aware of facts indicating a possible personal data breach.

T0 to T+4 hours
- Open incident channel and assign roles.
- Start incident log with UTC and PHT timestamps.
- Contain active access (credential rotation, key revocation, session invalidation, access blocks).
T+4 to T+24 hours
- Confirm data categories and estimated number of affected records.
- Assess likely risk of harm to data subjects.
- Decide if breach is notifiable under RA 10173 and NPC guidance.
T+24 to T+48 hours
- Draft NPC notification and affected-user notice.
- Prepare remediation plan and support FAQs.
T+48 to T+72 hours
- Submit notification to NPC if the breach is notifiable.
- Send affected-user notices for notifiable breaches.
- Record proof of submission and message delivery.

If complete details are not yet available by T+72, file the initial notice with known facts, then submit follow-up updates as new facts are confirmed.

5. Required Notification Content

For notifiable breaches, include at least:

Description of incident nature and date/time discovered.
Categories of personal data involved.
Estimated number of affected data subjects and records.
Likely consequences and risk level.
Containment and mitigation actions already taken.
Recommended protective steps for affected data subjects.
Contact channel for support and questions.

Primary contacts:

NPC: info@privacy.gov.ph and official NPC breach notification channels.
Affected users: Email to the address on file, plus in-platform notice when available.

6. Technical Response Checklist

Disable compromised credentials, rotate keys, and revoke active sessions.
Isolate affected services, endpoints, or storage paths.
Preserve logs and evidence snapshots before destructive cleanup.
Verify integrity of booking and payment records after containment.
Patch root cause and deploy fix with change record.
Increase monitoring and alert sensitivity for related indicators.

7. Post-Incident Activities

Within 5 business days after containment:

Complete root cause analysis and corrective actions.
Document lessons learned and control improvements.
Update this procedure if timeline gaps or ownership gaps were discovered.
Confirm closure with engineering and support leads.

Retain incident records, notification artifacts, and evidence inventory according to applicable legal retention requirements.

Personal Data Breach Response Procedure

Last updated: February 18, 2026

This procedure defines how PlayKorte handles potential or confirmed personal data breaches under Republic Act No. 10173 (Data Privacy Act of 2012) and NPC Circular 16-03.

1. Scope and Objective

Apply this procedure to all PlayKorte systems that process personal data (web app, dashboard, API, database, storage, and integrations).
Contain and remediate incidents quickly.
Meet legal notification deadlines for notifiable personal data breaches.
Preserve incident evidence for legal, technical, and regulatory review.

2. Breach Intake and Classification

Trigger this runbook immediately when any of the following occurs:

Unauthorized access to personal data.
Accidental disclosure, deletion, or corruption of personal data.
Loss or compromise of credentials, tokens, backups, or storage objects containing personal data.
Third-party processor notice that PlayKorte data may have been exposed.

Initial severity:

Critical: Active exposure of sensitive personal data, broad account compromise, or ongoing unauthorized access.
High: Confirmed exposure with contained access.
Medium: Limited exposure risk with no current evidence of misuse.
Low: Security event with no confirmed personal data impact.

3. Roles and Ownership

Incident Commander: Engineering lead on call. Owns technical triage, containment, and timeline tracking.
Data Protection Contact: support@playkorte.com (until a dedicated DPO is appointed). Owns regulatory assessment and notification approvals.
Communications Owner: Support lead. Owns affected-user notices and support scripts.
Recorder: Assigned engineer. Maintains an incident log with timestamps, decisions, and evidence links.

No step in this procedure should wait for perfect certainty if delay risks missing the seventy-two (72) hour deadline.

4. Timeline Requirements

Treat T0 as the time PlayKorte becomes aware of facts indicating a possible personal data breach.

T0 to T+4 hours
- Open incident channel and assign roles.
- Start incident log with UTC and PHT timestamps.
- Contain active access (credential rotation, key revocation, session invalidation, access blocks).
T+4 to T+24 hours
- Confirm data categories and estimated number of affected records.
- Assess likely risk of harm to data subjects.
- Decide if breach is notifiable under RA 10173 and NPC guidance.
T+24 to T+48 hours
- Draft NPC notification and affected-user notice.
- Prepare remediation plan and support FAQs.
T+48 to T+72 hours
- Submit notification to NPC if the breach is notifiable.
- Send affected-user notices for notifiable breaches.
- Record proof of submission and message delivery.

If complete details are not yet available by T+72, file the initial notice with known facts, then submit follow-up updates as new facts are confirmed.

5. Required Notification Content

For notifiable breaches, include at least:

Description of incident nature and date/time discovered.
Categories of personal data involved.
Estimated number of affected data subjects and records.
Likely consequences and risk level.
Containment and mitigation actions already taken.
Recommended protective steps for affected data subjects.
Contact channel for support and questions.

Primary contacts:

NPC: info@privacy.gov.ph and official NPC breach notification channels.
Affected users: Email to the address on file, plus in-platform notice when available.

6. Technical Response Checklist

Disable compromised credentials, rotate keys, and revoke active sessions.
Isolate affected services, endpoints, or storage paths.
Preserve logs and evidence snapshots before destructive cleanup.
Verify integrity of booking and payment records after containment.
Patch root cause and deploy fix with change record.
Increase monitoring and alert sensitivity for related indicators.

7. Post-Incident Activities

Within 5 business days after containment:

Complete root cause analysis and corrective actions.
Document lessons learned and control improvements.
Update this procedure if timeline gaps or ownership gaps were discovered.
Confirm closure with engineering and support leads.

Retain incident records, notification artifacts, and evidence inventory according to applicable legal retention requirements.

Personal Data Breach Response Procedure

Last updated: February 18, 2026

This procedure defines how PlayKorte handles potential or confirmed personal data breaches under Republic Act No. 10173 (Data Privacy Act of 2012) and NPC Circular 16-03.

1. Scope and Objective

Apply this procedure to all PlayKorte systems that process personal data (web app, dashboard, API, database, storage, and integrations).
Contain and remediate incidents quickly.
Meet legal notification deadlines for notifiable personal data breaches.
Preserve incident evidence for legal, technical, and regulatory review.

2. Breach Intake and Classification

Trigger this runbook immediately when any of the following occurs:

Unauthorized access to personal data.
Accidental disclosure, deletion, or corruption of personal data.
Loss or compromise of credentials, tokens, backups, or storage objects containing personal data.
Third-party processor notice that PlayKorte data may have been exposed.

Initial severity:

Critical: Active exposure of sensitive personal data, broad account compromise, or ongoing unauthorized access.
High: Confirmed exposure with contained access.
Medium: Limited exposure risk with no current evidence of misuse.
Low: Security event with no confirmed personal data impact.

3. Roles and Ownership

Incident Commander: Engineering lead on call. Owns technical triage, containment, and timeline tracking.
Data Protection Contact: support@playkorte.com (until a dedicated DPO is appointed). Owns regulatory assessment and notification approvals.
Communications Owner: Support lead. Owns affected-user notices and support scripts.
Recorder: Assigned engineer. Maintains an incident log with timestamps, decisions, and evidence links.

No step in this procedure should wait for perfect certainty if delay risks missing the seventy-two (72) hour deadline.

4. Timeline Requirements

Treat T0 as the time PlayKorte becomes aware of facts indicating a possible personal data breach.

T0 to T+4 hours
- Open incident channel and assign roles.
- Start incident log with UTC and PHT timestamps.
- Contain active access (credential rotation, key revocation, session invalidation, access blocks).
T+4 to T+24 hours
- Confirm data categories and estimated number of affected records.
- Assess likely risk of harm to data subjects.
- Decide if breach is notifiable under RA 10173 and NPC guidance.
T+24 to T+48 hours
- Draft NPC notification and affected-user notice.
- Prepare remediation plan and support FAQs.
T+48 to T+72 hours
- Submit notification to NPC if the breach is notifiable.
- Send affected-user notices for notifiable breaches.
- Record proof of submission and message delivery.

If complete details are not yet available by T+72, file the initial notice with known facts, then submit follow-up updates as new facts are confirmed.

5. Required Notification Content

For notifiable breaches, include at least:

Description of incident nature and date/time discovered.
Categories of personal data involved.
Estimated number of affected data subjects and records.
Likely consequences and risk level.
Containment and mitigation actions already taken.
Recommended protective steps for affected data subjects.
Contact channel for support and questions.

Primary contacts:

NPC: info@privacy.gov.ph and official NPC breach notification channels.
Affected users: Email to the address on file, plus in-platform notice when available.

6. Technical Response Checklist

Disable compromised credentials, rotate keys, and revoke active sessions.
Isolate affected services, endpoints, or storage paths.
Preserve logs and evidence snapshots before destructive cleanup.
Verify integrity of booking and payment records after containment.
Patch root cause and deploy fix with change record.
Increase monitoring and alert sensitivity for related indicators.

7. Post-Incident Activities

Within 5 business days after containment:

Complete root cause analysis and corrective actions.
Document lessons learned and control improvements.
Update this procedure if timeline gaps or ownership gaps were discovered.
Confirm closure with engineering and support leads.

Retain incident records, notification artifacts, and evidence inventory according to applicable legal retention requirements.