CPA Toolkit – Incident Response Addendum

Effective Date: January 02, 2026

This Incident Response Addendum (“Addendum”) forms part of the CPA Toolkit Terms and Conditions and Data Processing Addendum (“DPA”) and governs the procedures applicable in the event of a Security Incident.

1. Definitions

Capitalized terms not defined in this Addendum have the meanings assigned in the Terms and Conditions or the DPA.

  • Security Incident means a confirmed breach of CPA Toolkit’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data processed by CPA Toolkit.
  • Personal Data has the meaning set forth in the DPA.
2. Scope

This Addendum applies solely to Security Incidents originating from systems under CPA Toolkit’s direct control.

This Addendum does not apply to incidents arising from:

  • Compromised user credentials
  • Customer misconfiguration or misuse
  • Third-party services not controlled by CPA Toolkit
  • Customer devices, networks, or environments
3. Detection and Assessment

CPA Toolkit maintains procedures designed to identify and assess suspected Security Incidents.

A Security Incident shall be deemed to have occurred only after CPA Toolkit has reasonably confirmed unauthorized access to Personal Data.

Suspected events, unsuccessful attacks, probes, or attempted intrusions do not constitute a Security Incident.
4. Notification

Upon confirmation of a Security Incident, CPA Toolkit will notify the affected Customer without undue delay and within a commercially reasonable timeframe.

Notification may include, to the extent reasonably available:

  • A general description of the incident
  • The categories of data affected
  • Mitigation steps taken by CPA Toolkit
CPA Toolkit does not guarantee delivery of notifications within any specific regulatory timeframe.
5. Customer Responsibilities

The Customer remains solely responsible for:

  • Determining whether notification is required under applicable law
  • Notifying affected individuals, regulators, taxing authorities, or professional bodies
  • Providing credit monitoring, identity protection, or remediation services
  • Responding to regulatory inquiries or audits

CPA Toolkit shall not communicate directly with Data Subjects unless required by law.

6. Mitigation and Remediation

CPA Toolkit will take commercially reasonable steps to contain, investigate, and remediate confirmed Security Incidents within its control.

CPA Toolkit is not obligated to:

  • Restore data altered or deleted by the Customer
  • Reconstruct historical records
  • Provide forensic reports beyond reasonable summaries
7. Cooperation

CPA Toolkit will reasonably cooperate with the Customer in connection with a Security Incident, subject to:

  • Applicable law
  • Confidentiality obligations
  • Protection of other customers’ data

Any extraordinary assistance may be subject to additional fees.

8. Limitation of Liability

Liability arising from a Security Incident is subject to the limitations, exclusions, and caps set forth in the CPA Toolkit Terms and Conditions.

CPA Toolkit shall not be liable for regulatory fines, penalties, notification costs, credit monitoring services, or reputational harm.

9. Precedence

In the event of conflict between this Addendum and the Terms, Privacy Policy, or DPA, this Addendum controls solely with respect to incident response procedures.

10. Contact Information

Security or incident-related inquiries should be directed to:
Email: [email protected]