Data Breach Response Plan

Sidekick Agent — Internal Document Version: 1.0 Owner: [YOUR NAME] Last reviewed: [DATE] Next review due: [DATE + 12 MONTHS]

This is an internal operational document, not a customer-facing policy. Keep it somewhere you can find at 11pm when things go wrong. Review it annually and update contact details whenever your infrastructure changes.

Legal note: This plan is drafted against the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988 (Cth). The small business exemption (turnover under $3M) may technically exempt you from the Privacy Act at launch — but this plan follows the full NDB standard regardless, because: (1) your users are licensed agents subject to the Privacy Act for their own clients' data; (2) the exemption is under active review as part of ongoing Privacy Act reform (verify current status at oaic.gov.au); and (3) following the scheme is the right thing to do. Have a solicitor review this annually as the law in this area is changing.

1. What This Plan Covers

This plan applies whenever you discover, suspect, or are notified of:

Unauthorised access to Sidekick Agent's Supabase database.
Unauthorised access to a user's account.
Exposure or leakage of personal information (agent data, agent client/contact records, billing information).
Loss of a device or credential that could give someone access to the above.
A vulnerability in the application that could have permitted unauthorised access.
A security incident reported by Supabase, Vercel, or Stripe.

When in doubt, treat it as a potential breach and start the assessment. You can stand down after assessment if the risk is low. You cannot un-breach data you failed to contain.

2. Is It Notifiable? The Legal Test

Under the NDB scheme, a breach is notifiable (requiring you to report to the OAIC and affected individuals) if all three of the following are true:

There was unauthorised access to, disclosure of, or loss of personal information held by Sidekick Agent.
A reasonable person would conclude that the access or disclosure is likely to result in serious harm to one or more affected individuals. Serious harm includes: financial harm, harm to reputation, physical harm, psychological harm, or harm from identity theft.
You have not been able to prevent the likely serious harm through remedial action before it occurs.

Examples of likely notifiable: An attacker accessed the Supabase database and downloaded agent contact records. A misconfigured RLS policy exposed one agent's campaign data to another agent. A credential compromise gave an attacker access to a production account with client data.

Examples of likely not notifiable: A brute-force login attempt that failed. Access to your own dev/test database containing no real personal information. A brief outage with no data exposure.

3. The 30-Day Assessment Clock

Once you become aware of a potential breach, you have 30 days to assess whether it is an eligible (notifiable) data breach. If your assessment concludes it is notifiable, you must notify the OAIC and affected individuals as soon as practicable after that conclusion — do not wait for the 30 days to expire.

Verify this timeline at oaic.gov.au/privacy/notifiable-data-breaches — the Privacy Act reform process was ongoing as of mid-2025 and timelines or obligations may have changed.

4. Response Sequence

Work through these steps in order. Do not skip containment to get to notification faster — containment first.

Step 1 — Detect and log (within the first hour)

Write down exactly what you know: what happened, when you found out, what systems are involved, what data may have been affected.
Note the exact time you became aware. This starts the 30-day assessment clock.
Do not delete logs, modify systems, or attempt fixes that would destroy evidence before you have documented the current state.

Step 2 — Contain (within the first 2–4 hours)

Work through each applicable item:

Supabase:

Log into the Supabase dashboard and check the Auth logs for unusual sign-in activity.
Check the Database → Logs for unusual queries (large SELECTs, unexpected table access).
If a specific user account was compromised: disable the account in Supabase Auth immediately.
If the service role key or JWT secret may be compromised: rotate it immediately in Supabase → Settings → API. Note: this will sign out all active users. Acceptable cost.
If RLS is suspected to be misconfigured: disable the affected feature or table access until fixed.
Contact Supabase support: support@supabase.io / supabase.com/support

Vercel:

Check Vercel deployment logs for unexpected traffic or errors.
If an environment variable (e.g. Supabase service key, Stripe secret) may be exposed: rotate it in both Vercel and the originating service immediately, then redeploy.
Contact Vercel support: vercel.com/support

Stripe:

Sidekick Agent does not store card data — Stripe holds payment instrument data. If you suspect a Stripe key compromise, rotate the Stripe secret key in the Stripe dashboard immediately and update it in Vercel.
Contact Stripe: stripe.com/contact/email or +61 1800 891 580 (AU)
Note: Stripe has its own breach notification obligations for card data. A compromise of Stripe's systems is Stripe's breach to report, not yours (unless your negligence caused it).

Application access:

Change your own Supabase dashboard password and Vercel account password.
Rotate all secrets in .env.local and Vercel environment variables.
Check whether any admin-level access was used without your authorisation.

Step 3 — Assess (within 24–72 hours)

Answer these questions and document your answers:

What personal information was accessed or exposed? Whose? (Agent accounts? Specific agent's client contacts? Billing information?)
How many individuals are affected?
How sensitive is the information? (Names and emails are less severe than property financial details, household compositions, or ID documents.)
Could a reasonable person conclude that the exposure is likely to cause serious harm?
Have your containment steps prevented the harm from occurring?

If your honest answer to question 4 is yes, and question 5 is no — this is notifiable. Go to Step 4.

If the harm has been fully prevented, or a reasonable person would not conclude serious harm is likely — document your reasoning thoroughly and retain it. File internally. No OAIC notification required, but keep the record in case you are asked.

Step 4 — Notify the OAIC (as soon as practicable after Step 3 conclusion)

If the breach is notifiable:

Complete the NDB notification form at: oaic.gov.au/privacy/notifiable-data-breaches/notify-us
The form asks for: your entity name and contact details, a description of the breach, the kinds of information involved, the number of individuals affected, and what you are doing in response.
You do not need to have all information before notifying — submit what you know and supplement later if needed.
Retain a copy of your submitted notification.

OAIC general enquiries: 1300 363 992 (Monday–Friday, 9am–5pm AEST)

Step 5 — Notify affected individuals (as soon as practicable after Step 3)

Notify every individual whose personal information was involved and who faces a real risk of serious harm. For Sidekick Agent, this means:

Affected Agents (direct users of the Service).
Potentially, the Agents' own clients whose contact details were stored in the Agent's account — though your direct notification obligation may be satisfied by notifying the Agent, who is the controller of that data. Consult a solicitor on this specific point if it arises.

Notification must include:

Your identity and contact details.
A description of the breach (what happened).
The kinds of information involved.
What you recommend they do in response (e.g., change their password, monitor for suspicious contact).
Your contact details for further enquiries.

Notification channel: Email to the registered account address is appropriate. If email is compromised, use an in-app notice or phone.

Use the template in Section 6.

Step 6 — Remediate

Fix the root cause (patch the vulnerability, correct the RLS policy, rotate all compromised credentials).
Test the fix before reopening affected services.
Document what you changed and why.

Step 7 — Post-incident review (within 7 days of containment)

Document the following for your own records:

Timeline: when the breach occurred, when it was detected, when it was contained.
Root cause: what went wrong.
What data was exposed, to whom, for how long.
Steps taken to contain and remediate.
What you will change to prevent recurrence.
Whether the OAIC was notified and when.
Whether affected individuals were notified and how.

Keep this document. If the OAIC investigates, this record demonstrates your good-faith response.

5. Contact Directory

Keep this current. Update whenever personnel or infrastructure changes.

Role	Name / Service	Contact
Account owner	[YOUR NAME]	[YOUR MOBILE]
Supabase support	Supabase	support@supabase.io / supabase.com/support
Vercel support	Vercel	vercel.com/support
Stripe support (AU)	Stripe	stripe.com/contact — +61 1800 891 580
OAIC	Office of the Australian Information Commissioner	1300 363 992 / oaic.gov.au
Your solicitor	[SOLICITOR NAME]	[SOLICITOR CONTACT]
Your PI insurer	[INSURER NAME]	[POLICY NUMBER / CLAIMS LINE]

6. User Notification Email Template

Use this as a starting point. Adjust based on the specific breach before sending.

Subject: Important security notice regarding your Sidekick Agent account

Dear [Agent name],

I am writing to notify you of a security incident affecting Sidekick Agent that may have involved your account.

What happened [Plain-language description: e.g., "On [date], we discovered that unauthorised access to our database occurred between [date] and [date]."]

What information was involved [e.g., "The information potentially accessed includes your name, email address, and campaign contact records stored in your account. Payment card details are held by Stripe and were not involved."]

What we have done

[Containment step 1, e.g., "We immediately revoked all active sessions and rotated our database credentials."]
[Containment step 2]
[Remediation step]

What we recommend you do

Change your Sidekick Agent password immediately.
If you use the same password elsewhere, change it there too.
Be alert to unusual contact from anyone claiming to know details about your client records.
[Any other specific step relevant to the breach]

Your data export You can export all data in your Sidekick Agent account at any time from Settings → Export Data.

I take the security of your account and your clients' information seriously. I am sorry this occurred.

If you have questions, contact me directly at [YOUR EMAIL] or [YOUR PHONE].

[YOUR NAME] Sidekick Agent [DATE]

7. Record Keeping

Retain the following for a minimum of 7 years (consistent with general business record requirements):

This completed response plan with all dates and decisions recorded.
The OAIC notification submission (if made).
Copies of all user notifications sent.
The post-incident review document (Section 4, Step 7).
Any correspondence with Supabase, Vercel, Stripe, or the OAIC.

8. Annual Review Checklist

Review this document every 12 months or after any significant infrastructure change:

Contact directory updated (solicitor, insurer, infrastructure providers).
OAIC NDB form URL confirmed still correct (oaic.gov.au).
Privacy Act reform updates checked — any changes to NDB obligations?
Supabase RLS policies audited for correctness.
All production environment variables rotated.
Stripe and Vercel account credentials reviewed.
PI insurance policy current and covers SaaS operations.
This document date updated.

Sidekick Agent provides tools, not legal or valuation advice. Underquoting, Statements of Information, and authority forms remain the agent’s responsibility under Victorian law. The app flags uncertainty rather than asserting compliance. (SPEC §16)