Purpose
Contain, assess, notify, recover, review
The policy defines how Stackle prevents, detects, responds to, and learns from data breaches across its systems, vendors, people, and processes.
Data Breach Policy
How Stackle responds when incidents threaten personal data
This policy explains how Stackle identifies, assesses, contains, records, and notifies data-breach incidents, including the operational and regulatory steps that follow.
Read the Policy
Last updated 03 March 2026
At a Glance
The incident playbook before the fine print.
A practical view of the breach policy, covering governance, notification expectations, and operational response responsibilities.
Timing
Notification windows are tightly defined
Suspected eligible breaches are assessed with a target of 72 hours, and reportable NDB or GDPR events are escalated and notified within the required regulatory windows.
Governance
Virtual response team, central breach register
Stackle uses a virtual, cross-functional incident team for each breach and requires every confirmed breach to be recorded in a central breach register for audit and compliance.
1. Purpose and Scope
This policy describes how Stackle Pty Ltd will prevent, detect, respond to, and learn from data breaches in adherence with the Privacy Act 1988 (Cth), the Australian Notifiable Data Breaches Scheme, the UK and EU GDPR, ISO 27001:2022, and SOC 2 Trust Services Criteria.
It sets out the steps Stackle will take to contain, assess, notify, and review any breach, and explains how Stackle will meet its obligations under the NDB Scheme, GDPR, and relevant contractual commitments.
The policy applies to all Stackle employees, contractors, and third parties with access to Stackle data or systems; all personal information, confidential data, and intellectual property held by Stackle in any format; and all systems and services operated by or on behalf of Stackle, including AWS-hosted infrastructure in ap-southeast-2, third-party platforms, and remotely accessed systems.
2. Definitions and Data Breach Sources
Unauthorised third-party access to systems, including external hackers or credential theft.
Unauthorised access, disclosure, or modification by employees or users.
Data breaches at third-party or supplier services that hold or process Stackle user data.
Loss, theft, or unauthorised access to devices storing Stackle data, including laptops.
Unauthorised access or modification of Stackle cloud databases hosted on AWS.
Accidental disclosure of user data, such as sending data to the wrong email address.
Phishing or social engineering leading to credential compromise.
Malware infections on Stackle cloud infrastructure or hardware.
Public exposure caused by cloud-service misconfiguration.
Insider threats, whether deliberate or accidental, including sabotage or unauthorised exfiltration.
2.1 Definitions
| Term | Definition |
|---|---|
| Data Breach | Unauthorised access to, disclosure of, modification of, or loss of personal information or other classified data held by Stackle. |
| Eligible Data Breach | Under the Privacy Act 1988 (Cth), a breach likely to result in serious harm to one or more individuals where remedial action has not prevented that likely risk. |
| Personal Data Breach | Under GDPR, a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data processed by Stackle. |
| Breach Register | The centralised log of all breach events, regardless of severity or notifiability, maintained for audit and compliance purposes. |
| Serious Harm | Physical, psychological, financial, reputational, or other harm that a reasonable person would consider significant. |
3. Roles, Responsibilities, and Reporting
Stackle does not maintain a standing breach response team. Instead, it assembles a virtual, cross-functional team per incident in line with the Incident Response Plan.
Any employee, contractor, or third party who becomes aware of, is informed of, or suspects a breach must report it immediately by emailing admin@stacklehq.com or contacting the Head of Technology or Senior Management directly when the situation is severe or time-critical.
Reports should include as much detail as possible, including the date, time, affected systems or data, and what was observed. Staff must not attempt to investigate or remediate independently.
3.1 Incident Roles
| Role | Responsibility |
|---|---|
| All Employees and Contractors | Report suspected breaches immediately. Do not investigate or remediate independently. |
| Triage Manager | Assess the suspected event, determine whether a breach occurred, and assign initial severity. |
| Incident Manager | Lead and coordinate the breach response lifecycle from discovery through closure and post-incident review. |
| Technical Lead | Lead technical investigation, containment, and recovery. |
| Head of Technology | Own the policy, oversee breach response, approve notifications, and act as escalation point for S1 and S2 breaches. |
| Legal | Assess notifiability under NDB, GDPR, and contracts; advise on evidence handling; manage regulatory notifications. |
| Senior Management | Receive S1 and S2 escalations and authorise critical decisions such as taking systems offline. |
| Executive Board | Receive reporting on significant breaches and approve the policy. |
4. Severity and Response Plan
Confirmed breaches are assigned a severity level during triage and are then handled through a defined contain, assess, preserve, notify, recover, and review sequence.
Contain: suspend compromised accounts, quarantine malware, block compromised keys or paths, take temporary downtime if needed, and restore lost or modified data where possible.
Assess: determine the type, sensitivity, and volume of information involved, the cause and extent, affected systems and individuals, and the risk of serious, reputational, financial, legal, and operational harm.
Evidence preservation: preserve logs, disk images, and memory state before remediation where necessary, maintain chain of custody, involve Legal before altering evidence, and source evidence from systems such as CloudTrail, CloudWatch, and application logs.
Notify: notify the Head of Technology and Senior Management of all confirmed breaches, regardless of severity or notifiability, and log all notifications and decisions in the incident record.
Recover: restore to a clean, known-good state, prefer data-only backups over full snapshots where possible, monitor closely for at least 14 days, and complete legal and customer notification work before closure.
Review: conduct a formal Post-Incident Review for all S1 and S2 breaches, and strongly consider it for S3 breaches, within 14 calendar days of closure.
4.1 Severity Levels
| Severity | Description | Target Containment |
|---|---|---|
| S1 - Critical | Confirmed or high-probability breach of sensitive or personal data, ransomware, or severe reputational damage likely. Any reportable personal data breach is automatically S1. | 8 hours |
| S2 - High | Risk of breach of personal or sensitive data with potential serious reputational damage. | 12 hours |
| S3 - Medium | Possible breach of small amounts of non-sensitive data with low reputational risk. | 24 hours |
| S4 - Low | Minimal or no operational impact, affecting one or two non-sensitive assets. | 72 hours |
Severity must be reassessed continuously as the incident evolves.
Open item in the source policy: legal counsel details are still a placeholder in the Incident Response Plan annex and must be confirmed before ISO 27001 or SOC 2 certification.
5. Regulatory and Legal Notification Obligations
Under the Australian NDB Scheme, Stackle must assess suspected eligible breaches expeditiously with a target of completion within 72 hours of becoming aware of the suspected breach.
If an eligible breach is confirmed, the policy requires notification to the OAIC within 72 hours of forming a reasonable belief that the eligible breach has occurred, plus notification to affected individuals as soon as practicable where serious harm is likely.
Where a breach affects users of a specific organisation, Stackle uses the organisation's admin contact as the primary notification channel, with website publication as a fallback where direct notification is not practicable.
For UK and EU users, Legal must assess whether the breach is likely to result in a risk to rights and freedoms and, where reportable, notify the ICO or relevant EU supervisory authority within 72 hours of awareness. A reportable personal data breach to UK or EU regulators is automatically classified as an S1 incident.
The policy also acknowledges contractual breach-notification obligations and states that Legal must review all current and future material contracts so those obligations are documented in the Incident Response Plan.
All notifications must be approved by the Head of Technology and Legal before sending.
Direct individual notification is used where required and practicable.
All personal data breaches, whether reportable or not, must be documented in the Breach Register.
ICO breach reporting reference in the source policy: https://ico.org.uk/for-organisations/report-a-breach/.
Open item in the source policy: the contractual notification obligations table is not yet populated, so the document states it should not be treated as fully complete until that work is approved by the Head of Technology.
6. Breach Register, Monitoring, and Related Plans
Stackle maintains a Breach Register as a centralised, auditable record of all data breach events. The source policy states that it is maintained as a controlled Google Sheet in Stackle's secure Google Workspace environment with access restricted to the Head of Technology, Legal, and Senior Management.
The register must be updated for every confirmed breach, retained for a minimum of 7 years, and made available to auditors and regulators on request. The active Incident Manager receives access only for the duration of an incident.
The policy also sets out a detection and monitoring layer spanning AWS, application monitoring, Discord alerting, and email escalation. Any alert that indicates potential unauthorised access to personal data must be treated as a suspected breach and reported immediately.
This policy operates alongside the Incident Response Policy, Incident Response Plan, Business Continuity Plan, GDPR Policy, Data Classification and Handling Policy, and Supplier Management Policy. In the event of conflict, it is subordinate to the Incident Response Policy.
AWS CloudTrail for API and access activity logging across AWS services.
AWS GuardDuty for threat detection and anomaly monitoring.
AWS CloudWatch for infrastructure performance and anomaly alerting.
AWS WAF for web application firewall rate limiting and bot control.
Laravel Nightwatch for real-time application performance monitoring and error alerting.
Discord for automated alert notifications to internal security channels.
Email for escalation and notification of alerts requiring human review or action.
6.1 Breach Register Fields
| Field | Description |
|---|---|
| Incident ID | Unique identifier |
| Date Discovered | Date the breach was identified |
| Date Occurred (if known) | Estimated date the breach began |
| Description | Summary of what occurred |
| Data Affected | Type, classification, and approximate volume of data involved |
| Individuals Affected | Estimated number of affected individuals |
| Severity | S1-S4 per the severity section |
| Notification Status | NDB, GDPR, or contractual notifications made, including date and outcome |
| Remediation Actions | Steps taken to contain and recover |
| PIR Completed | Date of post-incident review |
| Closed Date | Date the incident was formally closed |
Open item in the source policy: cyber insurance had not yet been confirmed and the Head of Technology was directed to resolve that before ISO 27001 or SOC 2 certification.
7. Review, Acknowledgement, and Compliance
The data-breach response procedures must be tested at least annually through a tabletop exercise or equivalent simulation, coordinated with the annual Incident Response Plan test. Outcomes must be documented and reviewed by the Head of Technology.
The policy must also be reviewed at least annually and after significant incidents, material changes to systems or personnel, relevant changes in law, or significant updates to the Incident Response Policy or Plan. The Head of Technology and Head of Product jointly initiate reviews, and updates go to the Executive Board for approval.
Compliance with the policy is a condition of employment and engagement. New employees and contractors must acknowledge it before receiving system or data access, annual re-acknowledgement is required, and material out-of-cycle updates require re-acknowledgement within 30 days. Records must be retained for at least 3 years.
The policy reserves Stackle's right to monitor employees' use of company data and to investigate where conduct appears to breach policy. Employees or third parties who cause or contribute to a breach may face disciplinary or contractual consequences, up to and including termination or revocation of access.
7.1 Compliance Mapping
| Requirement | ISO 27001:2022 Control | SOC 2 Criteria |
|---|---|---|
| Incident response governance | A.5.24 | CC7.2, CC7.4 |
| Breach assessment and classification | A.5.25 | CC7.3 |
| Breach response and notification | A.5.26 | CC7.4 |
| Post-incident review and improvement | A.5.27 | CC7.4, CC4.2 |
| Evidence handling and forensics | A.5.28 | CC7.4 |
| Breach register and audit trail | A.5.24, A.5.27 | CC7.4, CC2.2 |
| Detection and monitoring | A.8.16 | CC7.2, CC7.3 |
| Annual testing | A.5.24 | CC7.4 |
| NDB Scheme compliance | A.5.26 | CC2.3 |
| GDPR compliance | A.5.26 | CC2.3 |