Breach Notification Policy
This policy describes how RapidLaunch detects, assesses, contains, and notifies of personal data breaches in compliance with GDPR Articles 33 and 34.
Breach Status
No data breaches have been recorded. This page serves as the authoritative record of our breach notification procedure and status.
1. Detection — Automated 5-Minute Scanner
Our infrastructure is continuously monitored by the Security MCP server, which scans all systems every 5 minutes for potential breach indicators:
- File integrity: Monitors critical system files for unauthorized modifications using checksum comparison.
- Access logs: Analyzes SSH, FTP, and database access logs for anomalous patterns, repeated failed authentication attempts, or access from unexpected IP addresses.
- Vulnerability scanner: The Security MCP runs
scan_all_vulnerabilitieson every site daily, checking for SQL injection, XSS, CSRF, exposed secrets, and hardcoded credentials. - Service health: The Health MCP checks PHP, MySQL, and HTTP services every 5 minutes across all servers.
- SSL monitoring: Certificate expiry, misconfiguration, or unexpected certificate changes are flagged immediately.
Any alert from these systems is logged as a critical event in the logging system via the Logging MCP and triggers an immediate notification to the on-call engineer.
2. Containment
Upon detection of a suspected breach, the following containment steps are taken immediately:
- Isolate affected systems: The affected server, service, or database is isolated from the network to prevent lateral movement.
- Preserve evidence: System snapshots, logs, and memory dumps are taken for forensic analysis.
- Revoke credentials: All access credentials to the affected system are rotated.
- Block IPs: Any IP addresses identified as sources of the breach are blocked at the firewall level.
3. Assessment
Within 24 hours of detection, the breach response team assesses:
- Nature of the breach: What type of data was accessed or exfiltrated?
- Categories of data involved: Personal data, special category data, financial data, etc.
- Data subjects affected: Number of individuals and categories (clients, visitors, employees).
- Likely consequences: Risk of identity theft, fraud, reputational damage, discrimination.
- Mitigation measures: Whether the breach is already contained and what further steps are needed.
4. Notification to DPC (72 Hours)
Under GDPR Article 33, we must notify the Irish Data Protection Commission of a breach within 72 hours of becoming aware of it. Our notification includes:
- Description of the breach (nature, categories, approximate number of data subjects and records)
- Name and contact details of the Data Protection Officer
- Likely consequences of the breach
- Measures taken or proposed to address the breach and mitigate its effects
5. Notification to Affected Users
Under GDPR Article 34, if the breach is likely to result in a high risk to the rights and freedoms of individuals, we will notify affected users without undue delay. Notification includes:
- Description of the breach in plain language
- Contact details of the Data Protection Officer
- Recommendations for mitigating potential adverse effects (e.g., change passwords, monitor accounts)
- Steps we have taken to address the breach
Notification is sent via email to the affected user's registered email address. In cases where direct notification is not possible, we will publish a prominent notice on our website.
6. Documentation
All breaches, including near-misses, are documented in our internal breach register. Documentation includes:
- Date and time of detection
- Facts surrounding the breach
- Effects and remedial action taken
- Rationale for decisions (e.g., why DPC was or was not notified)
- Post-incident review findings
7. Post-Incident Review
After every breach or near-miss, we conduct a post-incident review to:
- Identify the root cause
- Implement corrective measures to prevent recurrence
- Update this policy if necessary
- Update our risk assessment
8. Contact
To report a suspected data security issue or for breach-related inquiries:
Data Protection Officer: dpo@rapidlaunch.ie (subject: "Security Incident" for urgent reports)