MapleDeploy takes data security seriously. This document describes how we handle suspected or confirmed data breaches, in compliance with PIPEDA's breach notification requirements and Quebec's Law 25.
What counts as a breach
A breach is any unauthorized access to, or disclosure of, personal information under MapleDeploy's control. This includes:
- Unauthorized access to customer account data (email, name, billing information)
- Unauthorized access to MapleDeploy's internal database
- Compromise of a customer VM through a vulnerability in MapleDeploy's infrastructure (not the customer's own applications)
- Loss or theft of unencrypted backups containing personal information
A breach does not include unauthorized access to a customer's own applications or databases caused by the customer's configuration or code. Customers are responsible for the security of what they deploy on their servers.
How we respond
Detection and containment
When we detect or are notified of a potential breach:
- We revoke all potentially compromised credentials
- We isolate affected systems to prevent further access
- We preserve logs and evidence (nothing is modified or deleted)
- We begin documenting the timeline of events
We aim to begin containment within 24 hours of detection.
Investigation
We determine:
- What data was accessed or exposed
- How many customers are affected
- The attack vector (how it happened)
- Whether data was actually exfiltrated or just exposed
Assessment
Under PIPEDA (s. 10.1), we're required to assess whether the breach creates a "real risk of significant harm" (RROSH) to affected individuals. Significant harm includes identity theft, financial loss, damage to reputation, or humiliation.
Under Quebec's Law 25, we separately assess whether the incident presents a "risk of serious injury" (risque de préjudice sérieux), which is Quebec's own independent standard.
Factors we consider under both frameworks: the sensitivity of the information, the probability it will be misused, and whether the breach was contained.
Notification
If the breach poses a real risk of significant harm:
We notify:
Affected individuals as soon as feasible after confirming the breach. Notification includes:
- A description of what happened
- The date or time period of the breach
- What personal information was involved
- Steps we've taken to reduce the risk of harm
- Steps you can take to protect yourself (e.g., change passwords, monitor accounts)
- How to contact us with questions
The Office of the Privacy Commissioner of Canada (OPC) via their breach report form.
Quebec's Commission d'accès à l'information (CAI) if Quebec residents are affected, as required under Quebec's Law 25, using the CAI's prescribed reporting form.
Any other organization or government institution that may be able to reduce the risk of harm resulting from the breach, as required by PIPEDA (s. 10.1(3)). For example, if compromised credentials could be used to access third-party services, we notify those third parties.
Notification method: We email affected customers directly at their registered email address. For breaches affecting all customers, we also post a notice on our website.
If the breach does not meet the notification threshold:
We still document the breach in our internal registry (see record keeping below) and may choose to voluntarily notify affected customers as a matter of good practice.
Record keeping
We maintain records of all breaches (whether or not they met the notification threshold) for at least 24 months as required by PIPEDA (s. 10.3), and for at least 5 years for incidents that may involve Quebec residents as required by Law 25.
Each breach record includes:
- A description of the circumstances of the breach
- The date or estimated date
- The nature of the personal information involved
- An assessment of whether the breach creates a real risk of significant harm (and the basis for that assessment)
- Whether notification was given to individuals, the OPC, and/or the CAI (and if not, the reasons)
These records are available to the OPC on request.
What we protect
MapleDeploy holds the following personal and account information:
| Data | How it's protected |
|---|---|
| Email address | Stored in encrypted database on Canadian infrastructure |
| Name and organization name | Stored in encrypted database on Canadian infrastructure |
| Password | Hashed with bcrypt (never stored in plain text) |
| Billing details | Processed by Stripe (PCI Level 1 compliant), not stored by MapleDeploy |
| Server details (IP addresses, hostnames, URLs) | Stored in encrypted database on Canadian infrastructure |
| Provisioning and operational logs | Stored in encrypted database on Canadian infrastructure |
Customer application data (databases, files, configurations) lives on dedicated VMs isolated from MapleDeploy's control plane and from other customers.
Your responsibilities
If you believe your MapleDeploy account or server has been compromised:
- Email hello@mapledeploy.ca immediately
- Change your MapleDeploy password
- Review your Coolify admin credentials and any API tokens
If the breach originated from your own application code or configuration, we'll help where we can, but the response and notification obligations for your end users' data are yours. As your infrastructure provider, we will promptly notify you of any breach we detect that affects your VM so you can fulfill your own PIPEDA and Law 25 obligations.
Law enforcement
In cases involving criminal activity (unauthorized access, ransomware, data theft), we may coordinate with Canadian law enforcement as appropriate and as required by law.
Contact
For security concerns or to report a potential breach: hello@mapledeploy.ca
Last updated March 21, 2026