MapleDeploy takes data security seriously. This document describes how we handle suspected or confirmed data breaches, in compliance with PIPEDA's breach notification requirements.
What counts as a breach
A breach is any unauthorized access to, or disclosure of, personal information under MapleDeploy's control. This includes:
- Unauthorized access to customer account data (email, name, billing information)
- Unauthorized access to MapleDeploy's internal database
- Compromise of a customer VM through a vulnerability in MapleDeploy's infrastructure (not the customer's own applications)
- Loss or theft of unencrypted backups containing personal information
A breach does not include unauthorized access to a customer's own applications or databases caused by the customer's configuration or code. Customers are responsible for the security of what they deploy on their servers.
How we respond
Detection and containment
When we detect or are notified of a potential breach:
- We revoke all potentially compromised credentials
- We isolate affected systems to prevent further access
- We preserve logs and evidence (nothing is modified or deleted)
- We begin documenting the timeline of events
We aim to begin containment within 24 hours of detection.
Investigation
We determine:
- What data was accessed or exposed
- How many customers are affected
- The attack vector (how it happened)
- Whether data was actually exfiltrated or just exposed
Assessment
Under PIPEDA, we're required to assess whether the breach creates a "real risk of significant harm" to affected individuals. Significant harm includes identity theft, financial loss, damage to reputation, or humiliation.
Factors we consider: the sensitivity of the information, the probability it will be misused, and whether the breach was contained.
Notification
If the breach poses a real risk of significant harm:
We notify:
Affected individuals as soon as feasible after confirming the breach. Notification includes:
- A description of what happened
- The date or time period of the breach
- What personal information was involved
- Steps we've taken to reduce the risk of harm
- Steps you can take to protect yourself (e.g., change passwords, monitor accounts)
- How to contact us with questions
The Office of the Privacy Commissioner of Canada (OPC) via their breach report form.
Notification method: We email affected customers directly at their registered email address. For breaches affecting all customers, we also post a notice on our website.
Record keeping
We maintain records of all breaches (whether or not they met the notification threshold) for 24 months, as required by PIPEDA.
What we protect
MapleDeploy holds limited personal information:
| Data | How it's protected |
|---|---|
| Email address | Stored in encrypted database on Canadian infrastructure |
| Name | Stored in encrypted database on Canadian infrastructure |
| Password | Hashed with bcrypt (never stored in plain text) |
| Billing details | Processed by Stripe (PCI Level 1 compliant), not stored by MapleDeploy |
Customer application data (databases, files, configurations) lives on dedicated VMs isolated from MapleDeploy's control plane and from other customers.
Your responsibilities
If you believe your MapleDeploy account or server has been compromised:
- Email hello@mapledeploy.ca immediately
- Change your MapleDeploy password
- Review your Coolify admin credentials and any API tokens
If the breach originated from your own application code or configuration, we'll help where we can, but the response and notification obligations for your end users' data are yours.
Contact
For security concerns or to report a potential breach: hello@mapledeploy.ca