Trust Center
NDB and incident response
Last reviewed: 2026-05-25
This page is the public summary of how Compliance Care prepares for and responds to a security incident, including obligations under the Australian Notifiable Data Breaches (NDB) Scheme (Part IIIC of the Privacy Act 1988 (Cth)).
The full internal runbook lives at docs/security/ndb-workflow.md and docs/runbooks/incident-response.md. Customers and auditors can request to walk through the internal runbook under NDA.
How we detect
- Supabase logs are streamed to centralised log aggregation and an error-monitoring service from day one of the production environment.
- Application alerts fire on auth-failure spikes, RLS-policy denials in anomalous patterns, and Stripe webhook signature failures.
- Audit-event invariants. The append-only
audit_eventstable is checked nightly for hash-chain breaks and gap conditions. A break or gap is itself an incident. - Sub-processor advisories. We monitor sub-processor security advisories and treat a sub-processor breach affecting our scope as our own incident.
- Customer reports. A customer or third party can report a suspected incident to
security@compliancecare.com.au. Reports are acknowledged within two business days; high-severity reports trigger the runbook immediately.
How we respond
The runbook works to fixed time targets from the point of awareness:
| Phase | Target | What happens |
|---|---|---|
| Isolate | 1 hour | Contain the suspected blast radius. Rotate any credential believed exposed. Disable affected sessions. Snapshot for forensics. |
| Assess | 4 hours | Scope: which tenants, which data classes, what likelihood of access by an unauthorised party. Decide preliminary severity. |
| Notify affected providers | 24 hours | Contact each affected tenant's nominated point of contact with what is known so far, what we are doing, and when we will next update them. Updates continue at least daily until resolution. |
| OAIC NDB notification | Within 30 days of awareness, or sooner if assessment concludes the event is an Eligible Data Breach | Notify the Office of the Australian Information Commissioner using the standard form. Notify affected individuals as required under the Scheme. |
NDB Scheme readiness — summary
Compliance Care holds personal information in the course of acting as a service provider to NDIS providers. We treat ourselves as bound by the NDB Scheme in respect of personal information we hold.
We maintain:
- A documented assessment procedure for whether an event is an Eligible Data Breach (unauthorised access or disclosure / loss, with likely risk of serious harm).
- A template OAIC notification.
- A template tenant notification.
- A template individual notification (for use by the affected tenant where they are the entity making the individual-level notification, with our supporting information).
- A retained outside-counsel relationship for high-severity events.
What we publish after an incident
For every incident that results in any notification to a tenant (whether or not it becomes an Eligible Data Breach), a post-incident summary is published here within 30 days of resolution. The summary includes: the date and duration; the data classes potentially affected; the root cause; and the remediation actions. Tenant-identifying information is not published.
| Date | Summary |
|---|---|
| (none yet) |
Reporting an incident to us
- Suspected security incident:
security@compliancecare.com.au. PGP key fingerprint and reporting guidance will be added to this page once published. - Privacy or data-subject request:
privacy@compliancecare.com.au.
Acknowledged within two business days. High-severity reports trigger the runbook immediately on receipt.
Change log
| Date | Change |
|---|---|
| 2026-05-25 | Initial publication. |
