Skip to main content
Onwards Upwards

Personal-data breach response

Public summary of our incident-response process under GDPR Art. 33/34, UK GDPR, CCPA/CPRA breach-notification duties, and analogous regimes (LGPD, PIPEDA, Australian Privacy Act, POPIA). Last reviewed: 23 May 2026.

1. Reporting a suspected incident

If you believe Onwards Upwards has experienced a security or privacy incident, email security@onwardsupwards.app. Coordinated disclosure terms are published at /.well-known/security.txt. We acknowledge reports within 1 business day.

2. Detection

  • Application audit log for consent, export, deletion and admin actions.
  • Supabase auth & database logs; Cloudflare edge logs.
  • Email-delivery suppression and bounce monitoring.
  • External reports via security.txt and DPO mailbox.

3. Containment & eradication

  • Rotate affected credentials (Supabase service-role key, Cron secret, Lovable API key, field-encryption master key as scoped).
  • Revoke active sessions for impacted users; force re-authentication and MFA re-enrolment if warranted.
  • Quarantine affected rows / sub-processors and disable affected hooks.
  • Preserve evidence: snapshot logs, queue state and audit events.

4. Assessment

Within 24 hours of confirmation the DPO assesses likelihood and severity of harm to data subjects, taking into account the special-category nature of journal content (GDPR Art. 9) and the encryption state of affected data (AES-256-GCM envelope encryption at rest). Findings are recorded in the incident register.

5. Notification timelines

  • Supervisory authority (GDPR Art. 33 / UK GDPR): within 72 hours of becoming aware, unless the breach is unlikely to result in a risk to rights and freedoms.
  • Affected data subjects (Art. 34): without undue delay where the breach is likely to result in a high risk — by email to the address on file, with a status page mirror.
  • California (CCPA/CPRA): written notice in the most expedient time possible, without unreasonable delay.
  • Other regimes (LGPD, PIPEDA, APPs, POPIA): notify the relevant regulator and affected individuals as required by local law.
  • Customers / sub-processor incidents: we publish status updates at /legal/trust and notify our sub-processor counterparties under our DPAs.

6. Post-incident review

Every confirmed incident is followed by a written post-mortem within 10 business days, including root cause, corrective actions, and updates to this page, the DPIA, and the RoPA where relevant.