Data Breach Procedure
Last updated: April 2026
1. What is a data breach?
A personal data breach is any event that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes both deliberate attacks and accidental incidents.
2. How we detect breaches
- Application error monitoring via Vercel deployment logs
- Supabase database audit logs for unusual access patterns
- Automated alerts for failed authentication attempts
- Regular review of access logs and API usage
- Reports from users, organisations, or security researchers
3. Severity classification
| Level | Description | Example |
|---|---|---|
| High | Confirmed unauthorised access to personal data | Database breach, credential compromise |
| Medium | Potential exposure without confirmed access | Misconfigured access control, exposed API key |
| Low | Minor incident with no data exposure | Failed exploit attempt, suspicious login from known user |
4. Our response
When a breach is detected or reported, we follow this procedure:
- Contain — immediately isolate the affected system, revoke compromised credentials, and prevent further data loss
- Assess — determine what data was affected, how many users are impacted, and the severity level
- Notify organisations — we will notify all affected organisations within 24 hours of confirming a breach, including what happened, what data was involved, and what we are doing about it
- Notify the ICO — if the breach is likely to result in a risk to individuals' rights and freedoms, we will report it to the Information Commissioner's Office within 72 hours as required by UK GDPR Article 33
- Notify individuals — if the breach is likely to result in a high risk to individuals, we will notify them directly without undue delay
- Remediate — fix the root cause, implement additional safeguards, and update our security measures
- Review — document the incident, conduct a post-mortem, and update this procedure if needed
5. Record keeping
We maintain a record of all data breaches, regardless of severity, including the facts of the breach, its effects, and the remedial actions taken. This register is maintained in accordance with UK GDPR Article 33(5).
6. Reporting a potential breach
If you believe you have discovered a security vulnerability or data breach, please report it immediately to hello@give-time.org. We appreciate responsible disclosure and will acknowledge your report within 24 hours.