← Back to home

Breach Response Plan

Document version 1.0 · Last reviewed: 26 April 2026 · Next review: October 2026 · Owner: Scott Calder, Director, SJC Distributions Ltd

⚠️ If you suspect a breach is happening right now: email security@workhive.co.uk AND call Scott on the number registered with ICO. Do not wait. Time matters.

1. Purpose & scope

This plan defines how WorkHive (operated by SJC Distributions Limited) detects, contains, assesses, notifies and recovers from any actual or suspected personal-data breach involving customer data. It is required under UK GDPR Articles 32–34 and the Data Protection Act 2018.

2. What counts as a breach

A "personal data breach" under UK GDPR Art 4(12) is any of:

This includes near-misses where exposure was possible but not confirmed (e.g. a leaked API key with high blast radius — even if no logs show exfiltration).

3. Detection sources

SourceMonitored howAlert latency
Supabase logsDaily review + anomaly thresholds≤24 hours
Sentry error reportsReal-time push to security email + SMS≤5 minutes
Better Stack uptime5-minute health check on /health≤5 minutes
Audit log anomaliesWeekly automated review (e.g. cross-site queries)≤7 days
Customer reportsecurity@workhive.co.uk≤1 hour acknowledgement
External researcherresponsible disclosure via security@≤24 hours triage

4. Response timeline

T+0 — Detection

  1. Acknowledge the report or alert.
  2. Open a private incident channel (Signal or Slack with no customer data shared).
  3. Assign Incident Commander (default: Scott Calder).
  4. Begin a timeline log: every action, decision and observation gets a timestamp.

T+1 hour — Containment

  1. Isolate the compromised system: rotate keys, revoke sessions, block IPs, disable accounts.
  2. Preserve evidence: snapshot logs, memory, database state. Do not delete or overwrite anything that may be evidence.
  3. If exposure is ongoing and contained risks more loss than the breach: take WorkHive offline temporarily and post a status update.
  4. Notify any sub-processor whose service is involved (Supabase, Anthropic, etc.).

T+24 hours — Assessment

  1. Determine: who was affected, what data, how, when, and what could the consequence be?
  2. Categorise risk under UK GDPR Art 33–34: low / medium / high risk to rights and freedoms.
  3. Decide: notifiable to ICO? notifiable to affected individuals?
  4. If breach involves bank details or NI numbers → automatically high risk, automatically notifiable.

T+72 hours — ICO notification (if required)

Submit at ico.org.uk/for-organisations/report-a-breach or call 0303 123 1113.

Required content (UK GDPR Art 33(3)):

  1. Nature of breach (categories & approx number of individuals/records affected)
  2. Name & contact details of DPO/contact point: Scott Calder, Director, security@workhive.co.uk
  3. Likely consequences
  4. Measures taken or proposed to address the breach + mitigate adverse effects

If we cannot give all info within 72 hours, we submit what we have and follow up.

T+72 hours — Customer (Controller) notification

Where the breach affects a customer's data, we email the registered alert_email for that organisation within 72 hours. They are the Controller; they may need to notify their own staff.

T+72 hours — Individual notification (if high-risk)

Where the breach is high-risk to individuals (financial loss, identity theft, etc.), we coordinate with the customer (Controller) on direct notification to affected staff. This is the Controller's legal obligation under Art 34, but we provide all information needed.

T+7 days — Remediation report

  1. Root cause analysis written up (5 Whys + technical details).
  2. Permanent fix deployed and verified.
  3. Evidence preserved for 6 years.
  4. Incident report shared with affected customers.

T+30 days — Post-incident review

  1. Identify systemic weaknesses revealed.
  2. Update this plan, security controls, and runbooks.
  3. Schedule any extra training, audits, or certification work.

5. Roles & responsibilities

RoleResponsibility
Incident Commander (Scott Calder)Overall decisions, ICO communication, customer comms.
Technical LeadContainment, forensics, fixes.
Communications LeadCustomer email + status page updates + internal comms.
Legal & ComplianceICO submission, sub-processor coordination, insurance claim.

Until WorkHive grows, all roles default to Scott Calder. External counsel will be retained for any incident classified medium-high risk.

6. Special cases

Encryption key compromise

If the workhive_pii_key in Supabase Vault is compromised: rotate immediately, re-encrypt all PII fields with new key, audit for any suspicious queries during exposure window. Treat as high-risk breach if any PII queries occurred from unknown IP.

Service-role key compromise

Service role bypasses RLS. If exposed: roll the JWT secret (invalidates all keys), re-deploy, audit all anonymous-context queries during exposure. Treat as high-risk breach.

Third-party (sub-processor) breach

If Supabase / Netlify / Resend / Twilio / Anthropic notifies us of a breach: enter our own response process T+0. Their breach is our breach to our customers.

7. Communication templates

Customer notification email (template)

Subject: WorkHive security incident — your action may be required

Dear [Owner name],

On [date], we detected a security incident affecting your WorkHive workspace. Here is what we know:

WHAT HAPPENED
[Plain English description of the incident]

WHEN
Detected: [time]. Resolved: [time or "ongoing"].

DATA AFFECTED
[Specific list — names, emails, NI numbers, bank details, etc.]
Number of staff affected: [N]

WHAT WE'VE DONE
[Containment, fix, key rotation, etc.]

WHAT YOU SHOULD DO
[Specific actions: change passwords, notify staff, monitor accounts]

REGULATOR
We have notified / will notify the ICO under UK GDPR Article 33.
You may also need to notify your staff under Article 34 — we will help with the wording if asked.

NEXT STEPS
We will publish a full root-cause report by [date]. We are also undertaking [extra controls].

You can reach me directly on this thread or at security@workhive.co.uk.

— Scott Calder, Director, SJC Distributions Ltd

8. Testing this plan

This plan is tested via tabletop exercise twice a year (April + October). Each exercise simulates a different breach type. Findings update the plan.

9. Insurance

WorkHive carries cyber-incident insurance (£1m cover) via [insurer name]. Policy number on file. Notification to insurer triggered at T+1 hour for any incident classified medium or high risk.

10. Document control

Master copy: this URL. Internal copy stored in 1Password. Both updated together. Material changes communicated to customers via the sub-processor list and email.