Security Incident Response Policy

Effective Date: October 27, 2025

Introduction: Mathfit Education Private Limited (“Mathfit” or “Company”), the owner of Xplainity, maintains a robust Security Incident Response Policy to protect the integrity, availability, and confidentiality of the Xplainity platform and its users’ data. This Policy outlines how we detect, respond to, and communicate about security incidents, including data breaches or service compromises, in compliance with applicable laws (such as the EU General Data Protection Regulation (GDPR), India’s Digital Personal Data Protection Act (DPDP) 2023, and relevant education privacy laws like FERPA, where applicable). Our goal is to respond swiftly and effectively to any security incidents to minimize impact and ensure transparency with users and stakeholders.

Scope and Definitions

  • Scope: This Policy applies to all security incidents that may affect the Xplainity platform or any systems operated by Mathfit or our subprocessors on behalf of Xplainity. It covers incidents involving personal data, assessment content, user accounts, and platform infrastructure.
  • Security Incident: A security incident is any event that compromises or poses a significant risk to the confidentiality, integrity, or availability of our systems or data. Examples include (but are not limited to) unauthorized access to user data, detection of malware in our systems, database breaches, DDoS attacks causing service outage, or any situation where data is altered or lost without authorization.
  • Personal Data Breach: A particular type of security incident that involves personal information being accessed, disclosed, or lost in an unauthorized way. (For instance, if a database containing user registration details or assessment recordings is accessed by an unauthorized party.)

Incident Detection and Monitoring

  • Preventive Measures: Xplainity’s infrastructure is built with security in mind. We employ firewalls, encryption (for data at rest and in transit), access controls, and continuous monitoring to prevent incidents. Regular security assessments, vulnerability scans, and penetration tests are conducted to identify and fix potential weaknesses.
  • Monitoring: We have systems and tools in place to monitor network traffic, user account activity, and system logs for unusual patterns or signs of compromise. Our team (or automated systems) receives alerts for events like repeated failed login attempts, suspicious account behavior, or anomalies in server performance that could indicate a security issue.
  • Detection by Users or Third Parties: In addition to our internal monitoring, we encourage users, security researchers, or partners to report any suspected vulnerabilities or incidents. If you discover a potential security flaw or have security concerns, you should notify us immediately at kshitij.jain@xplainity.com (see Reporting section below). We treat external reports with high priority.

Response Team and Initial Assessment

  • Incident Response Team: Mathfit has designated personnel responsible for managing security incidents. This may include our technical team leads, security officers, and relevant executives. In case of a serious incident, a response team is convened that will include engineers and management to assess and address the situation.
  • Initial Assessment: When an incident alert is received or a report is made, we will promptly investigate to confirm whether a security incident has occurred. This includes identifying the nature of the incident (e.g., data breach, service outage, malware infection), the systems or data impacted, and the extent (how many users or records might be affected).
  • Containment: If an incident is confirmed, our first priority is to contain it. We may isolate affected systems, revoke or reset compromised credentials (for example, forcing password resets if an account database may have been exposed), and apply temporary measures to prevent further unauthorized activity while we diagnose the problem.

Investigation and Remediation

  • Root Cause Analysis: The response team will investigate to determine the root cause of the incident. This may involve analyzing logs, memory dumps, audit trails, and any forensic evidence. We attempt to determine exactly what happened, how it happened, and what vulnerabilities or processes need to be fixed to prevent a recurrence.
  • Fixing the Issue: Once the cause is identified, we work on remediation. This could include applying security patches, changing configurations, restoring backups, removing malware, or any necessary development changes. Our aim is to restore the platform to secure, normal operation as quickly as possible, while ensuring the issue is properly resolved.
  • Verification: After remediation, we verify that the vulnerability or weakness has been eliminated and that systems are secure. We may run additional tests or monitoring to ensure the incident has been fully contained and eradicated. If data was compromised, we also verify the integrity of remaining data and restore from secure backups as needed to correct any corruption.

Communication and Notification

  • User Notification: If a security incident results in a confirmed personal data breach or otherwise compromises user information or the privacy of user communications, Mathfit will notify affected users promptly, in accordance with legal requirements. Notification will typically occur via email to the address on record and/or via in-platform alerts. We will provide users with information about what happened, what data might be affected, what we are doing in response, and any steps users should take to protect themselves (such as changing passwords, watching for suspicious activity, etc.).
  • Regulatory Notification: Mathfit will fulfill any legal obligations to report security incidents to authorities. For example:
    • Under GDPR, if a personal data breach is likely to result in a risk to individuals’ rights, we will notify the relevant supervisory authority (Data Protection Authority) within 72 hours of becoming aware of the breach . Affected individuals will also be notified without undue delay if required by Article 34 of GDPR.
    • Under India’s Digital Personal Data Protection Act (DPDP) 2023, we will inform the Data Protection Board of India and each affected Data Principal of a personal data breach in accordance with the prescribed timelines (currently expected to be as soon as possible and no later than 72 hours of awareness, subject to any specific Rules in force) .
    • For users or institutions subject to FERPA (a U.S. law protecting student educational records), if an incident involves unauthorized disclosure of student education records, we will coordinate with the educational institution to ensure appropriate notifications are made in line with FERPA’s requirements. Typically, the institution (as the data controller for education records) may handle direct notification to students or parents, with our full cooperation.
    • We will also comply with any other applicable state or national breach notification laws (for instance, laws requiring notice to individuals in certain U.S. states, or reporting to sectoral regulators). In India, we will also adhere to any directions from CERT-In (Indian Computer Emergency Response Team) regarding the reporting and handling of certain cybersecurity incidents, as applicable.
  • Public Communication: If a breach or incident is of significant scope or public interest, Mathfit may choose to issue a public notice or statement on our website or through press releases. This transparency can help inform all stakeholders and clarify any misinformation. However, we will only disclose specifics that do not further compromise security or violate privacy.
  • Ongoing Updates: After initial notification, we may provide follow-up communications to users or regulators as more information becomes available during our investigation. Users will be informed of important developments, and when the issue is fully resolved.

Subprocessor and Third-Party Incidents

  • Use of Subprocessors: Xplainity relies on certain trusted subprocessors and third-party service providers to deliver our service (for example, Heroku for hosting, LiveKit for video, Google for certain AI services, etc.). We require these subprocessors to maintain strong security practices and to notify us in the event they experience a security incident that could affect our users or data.
  • Third-Party Incident Response: If a security incident originates from or involves one of our subprocessors (for instance, if our cloud hosting provider has a breach that affects Xplainity data), our policy is to work closely with that provider to ensure the incident is addressed. We will treat such an incident with the same level of urgency and care as if it occurred in our own systems. Affected users will be notified in the same manner, and any jointly needed notifications to authorities will be handled in coordination with the subprocessor.
  • Contracts and Compliance: Our Data Processing Addendum (DPA) and contracts with subprocessors include commitments that subprocessors will assist us in meeting our breach notification and response obligations. We flow down security requirements to them and assess their security measures regularly. Ultimately, however, Mathfit remains accountable to users for protecting personal data, even when it’s processed by a subprocessor on our behalf.

Post-Incident Actions

  • Documentation: Every security incident is documented in an incident report. This report includes the timeline of events, impact analysis, root cause, actions taken to contain and fix, and lessons learned. We maintain these records as required by law (for example, GDPR requires breach documentation ) and for internal improvement.
  • Review and Improvement: After resolving an incident, our team conducts a post-mortem analysis. We identify what went well and what could have been handled better. The Security Incident Response Policy and our security practices are then updated if necessary. For instance, if a new threat vector was discovered, we might implement additional controls or training to guard against it in the future. Our goal is continuous improvement of our security posture.
  • User Support: Following an incident, we provide support to affected users. This might include offering credit monitoring services if sensitive personal data (like identification information) was exposed, or providing dedicated support channels to answer user questions about the incident. We strive to be responsive and helpful to rebuild user trust.

Reporting a Security Issue

We value the assistance of our community in keeping Xplainity secure. If you believe you have found a vulnerability or security flaw in Xplainity, or if you suspect an incident (such as unauthorized access to your account), please do the following:

  • Contact Us Immediately: Send an email to kshitij.jain@xplainity.com describing the nature of the security issue. Please include as much detail as possible, such as steps to reproduce the problem, any relevant screenshots or logs, and the impact you believe it has.
  • Responsible Disclosure: We kindly ask that you do not publicly disclose the issue until we have had a reasonable chance to address it. Mathfit is open to working with security researchers and will acknowledge your contribution if you identify a significant vulnerability (we can credit you in our release notes or on a thank-you page, with your permission).
  • No Retaliation: Reporting security issues in good faith is encouraged and appreciated. We will not pursue legal action against individuals who discover and report vulnerabilities responsibly, and who do not exploit them beyond what is necessary to test their existence.

Limitation of Liability

While Mathfit is committed to strong security practices and timely incident response, it is important to understand that no digital platform is entirely immune to risks. By using Xplainity, users acknowledge that despite the safeguards in place, security incidents may still occur. Mathfit will do its utmost to prevent and address incidents, but (as outlined in our Terms of Use) we disclaim liability for any indirect damages or losses that may result from security breaches, to the maximum extent permitted by law. We maintain appropriate insurance and will act in good faith to compensate users as required by law in the event of incidents caused by our negligence.

Updates to this Policy: This Security Incident Response Policy may be revised as our security practices evolve or as laws change. The effective date will be updated accordingly. We encourage users and customers to review this Policy periodically. In case of major changes, we may also notify users through email or platform notifications.

For any questions about this Policy or our security measures, please contact kshitij.jain@xplainity.com. By entrusting Xplainity with your educational assessments and data, you trust us to protect them, and we take that responsibility seriously. This Policy is in effect as of October 27, 2025.

Questions about this policy? Contact us.