Overview

Yellow Dog Software’s intentions for publishing an Incident Notification Policy is to standardize how Yellow Dog Software notifies impacted parties in the event of a data breach.

Purpose

Yellow Dog Software is committed to protecting the confidentiality, integrity, and availability of customer data processed and stored within Yellow Dog Inventory. This policy describes how Yellow Dog Software communicates with customers, partners, and other affected parties when a security incident or data breach occurs.

Specifically, this policy defines: what communications are sent, when they are sent, what they contain, and who receives them. It applies to our hosted inventory management environment serving customers in the food & beverage, retail, and venue management industries.

Scope

This policy applies to any security incident or data breach affecting:

  • Customer data stored or processed within Yellow Dog Inventory hosted environments

  • Systems that support the delivery of Yellow Dog Inventory as a service

  • Third-party service providers that process customer data on Yellow Dog Software's behalf

This policy governs external communications — to customers, partners, and where applicable, regulatory bodies. Internal operational procedures are maintained separately.

Definitions

Security Incident
Any actual or suspected event that threatens the confidentiality, integrity, or availability of Yellow Dog systems or customer data — including unauthorized access, service outages, and data integrity failures.

Data Breach
A confirmed security incident in which customer data was accessed, disclosed, altered, or destroyed without authorization.

Affected Customer
Any customer whose data was stored in a system involved in a security incident, regardless of whether exposure has been confirmed.

Initial Notification
The first communication sent to an affected customer acknowledging that an incident has occurred or is under investigation. Does not require investigation to be complete.

Written Incident Report
A formal follow-up communication providing incident details, impact assessment, and corrective actions.

P1 — Critical
A security incident involving confirmed or suspected unauthorized data access, a complete service outage, or any event with potential for data breach.

P2 — High
Partial service degradation or anomalies with potential data security implications not yet confirmed as a breach.

Notification Timelines

Yellow Dog Software commits to the following notification timelines upon discovery of a security incident. These timelines are measured from the point at which Yellow Dog Software first becomes aware of — or reasonably suspects — an incident, not from the point of confirmed breach.

This standard applies to all customers. Customers with contractual agreements requiring shorter notification windows will be served according to those terms.

Immediately upon detection
Service status updated publicly to acknowledge an issue is under investigation. No detail about cause or data exposure at this stage. Recipients: All customers via public status page

Within 24 hours
Initial Notification: confirmation that an incident has occurred or is suspected, that an investigation is underway, and a point of contact for questions. Confirmation of breach is not required before this notification is sent. Recipients: All customers whose hosted environments may be affected

Within 48 hours
Written Incident Report: incident description, timeline, known scope of impact, what data may have been involved, containment status, and next steps. Report is sent even if investigation is ongoing .Recipients: Customers with confirmed or probable data exposure

Every 72 hours
Status update while investigation remains open: progress summary, any newly confirmed information, and revised timeline to resolution. Recipients: All customers who received the 24-hour notification

Within 14 days of closure
Final incident report: confirmed root cause, full impact assessment, corrective actions taken, and preventive measures implemented. Recipients: Customers with confirmed data exposure

Communication Content

Initial Notification (within 24 hours)

The initial notification is sent promptly to ensure customers can take precautionary action. It will include:

  1. The date and approximate time Yellow Dog Software became aware of the incident

  2. A plain-language description of what is known — what occurred, which systems are involved

  3. A statement that an investigation is underway and that further information will follow

  4. Whether customer data may have been involved, to the extent known

  5. Immediate steps customers should consider taking

  6. A dedicated contact at Yellow Dog Software for questions

The initial notification will not be withheld pending investigation completion. Where the cause or scope is unknown, the notification will clearly say so.

Written Incident Report (within 48 hours)

The written report provides greater detail than the initial notification. It will include:

  1. Confirmed timeline of the incident from detection through current status

  2. Description of the nature of the incident and how it occurred, to the extent determined

  3. Categories of customer data involved or potentially involved

  4. Approximate number of customer records affected, where determinable

  5. Actions taken to contain the incident

  6. Current status of the investigation

  7. Recommended actions for affected customers

  8. Yellow Dog Software contact information for follow-up

Ongoing Status Updates (every 72 hours while open)

While an investigation remains open beyond 48 hours, Yellow Dog Software will provide regular updates covering:

  • New information confirmed since the prior communication

  • Current containment and remediation status

  • Revised timeline for resolution or final report

  • Any changes to the recommended customer actions

Final Incident Report (within 14 days of closure)

Once an incident is fully resolved, Yellow Dog Software issues a final report to all customers with confirmed data exposure. This report includes:

  1. Confirmed root cause

  2. Complete timeline from initial detection through resolution

  3. Full assessment of data accessed, modified, or exposed

  4. All corrective actions taken by Yellow Dog Software

  5. Preventive measures implemented to reduce the likelihood of recurrence

  6. Contact information for any ongoing questions

Communication Channels

Yellow Dog Software uses the following channels to deliver incident communications, matched to the nature of the message and the urgency of the situation:

Public Status Page

Updated immediately upon detection of any service disruption. All updates posted here throughout the lifecycle of an incident.
Audience: All customers; publicly accessible

Direct Email

Used for Initial Notifications, Written Reports, status updates, and Final Reports. Sent to the security or primary contact on file for each affected account.
Audience: Affected customers

Phone

Used for P1 incidents and for any customer whose contract specifies phone notification. A Yellow Dog representative will call the designated contact directly.
Audience: Affected customers — P1 incidents or where contractually required

Secure Written Document

The Written Incident Report and Final Report are delivered as formal documents, either via email attachment or a secure link.
Audience: Customers with confirmed or probable data exposure

Who Receives Notifications

Notifications are directed based on the nature of the incident and the customer's relationship with Yellow Dog Software:

All hosted customers on an affected environment

Service status updates and Initial Notification are sent to all customers whose hosted data environment was involved in the incident, regardless of whether individual data exposure has been confirmed.

Customers with confirmed data exposure

Receive all communications including Written Incident Report, status updates, and Final Report.

Customers with contractual notification clauses

Notified according to the terms of their agreement — including any shorter timelines, required phone contact, or specific named security contacts. Yellow Dog Software maintains a record of these requirements.

Third-party subprocessors

Notified as required to support containment and investigation. Yellow Dog Software is responsible for ensuring subprocessors comply with the same notification standards.

Maintaining Accurate Contact Information

Yellow Dog Software maintains a designated security or primary contact record for each hosted customer account. This contact receives all incident notifications.

Customers are responsible for keeping their designated contact information current. To update a security contact or notification email address, contact Yellow Dog Software support using the information in Section 11.

For customers whose contracts designate a specific named security official, Yellow Dog Software will direct Initial Notifications to that individual by both phone and email, in accordance with the contract.

Forensic and Evidence Requests

Customers who have experienced a confirmed data breach may request access to logs and forensic evidence related to their data environment. Yellow Dog Software will:

  • Preserve all relevant logs and system records in their original state from the point of incident detection

  • Provide raw logs and forensic artifacts to affected customers upon written request, subject to legal review

  • Retain incident-related logs for a minimum of three years

Requests for forensic data should be submitted in writing to the contact address in Section 11.

SOC 2 Alignment

This policy supports Yellow Dog Software's SOC 2 Type II certification and directly addresses the following Trust Services Criteria:

  • CC7.3 — Detection and evaluation of security events

  • CC7.4 — Response to identified security incidents

  • CC7.5 — Communication to affected parties regarding security incidents

  • CC2.2 — Communication of security practices to external parties

Yellow Dog Software's SOC 2 audit reports are available to customers under NDA upon request.

Contact

To report a suspected security incident, request a copy of an incident report, or ask questions about this policy:

Email: support@yellowdogsoftware.com

Phone +1 (757) 663-7514

Address Yellow Dog Software, 965 Norfolk Square, Norfolk, Virginia 23502