Version 1.0
Effective Date: January 1, 2025
This document outlines Legacy Ready's procedure for detecting, assessing, and responding to data breaches. We publish this procedure for transparency so our users understand how we handle security incidents.
Legacy Ready employs continuous monitoring and logging to detect potential security incidents. Sources of detection include automated alerts from infrastructure monitoring, audit log anomaly detection, reports from employees or contractors, reports from users or external security researchers, and notifications from Sub-Processors (Supabase, Resend, Vercel). Upon detection of a potential incident, the security team will immediately begin an assessment to determine the scope, severity, and nature of the event.
Confirmed unauthorized access to unencrypted user data, encryption key exposure, authentication system compromise, or active exploitation. Requires immediate response and notification within 24 hours.
Confirmed unauthorized access to encrypted data (without key compromise), unauthorized access to metadata or audit logs, or vulnerability that could lead to data exposure. Notification within 48 hours.
Attempted unauthorized access (blocked), vulnerability discovered but not exploited, or Sub-Processor incident not directly affecting user data. Notification within 72 hours if user data was potentially affected.
Security-relevant event that does not involve data exposure or compromise. Logged and reviewed as part of regular security operations. No user notification required.
Legacy Ready commits to the following notification timelines:
Breach notifications will include the nature and description of the incident, the date and time of discovery, the categories and approximate number of affected individuals, the categories of data involved, an assessment of whether client-side encrypted data was at risk (noting that encrypted data without key compromise remains protected), the likely consequences of the breach, measures taken and proposed to address the breach and mitigate its effects, and contact information for further inquiries.
Affected users will be notified via the email address associated with their account. If the breach involves a professional account's client data, both the professional (Controller) and the affected clients will be notified. Notifications will include clear language about what happened, what data was involved, recommended protective actions, and how to contact us for more information. We will not require affected users to click links or provide credentials in breach notifications.
Depending on the nature and severity of the breach, remediation may include immediate containment and isolation of affected systems, forced password resets for affected accounts, revocation and rotation of affected credentials and tokens, enhanced monitoring of affected accounts, patching of exploited vulnerabilities, engagement of external forensic specialists if warranted, and cooperation with law enforcement as appropriate.
After each security incident, we conduct a post-incident review that includes a detailed timeline of the incident, root cause analysis, assessment of the effectiveness of our response, identification of improvements to prevent recurrence, updates to security procedures and controls as necessary, and documentation of lessons learned. The findings of post-incident reviews are used to improve our security posture and update this procedure as needed.
If you discover a security vulnerability or suspect a data breach, please report it immediately to security@legacyready.co. We take all reports seriously and will respond within 24 hours. We ask that you provide a description of the vulnerability or incident, steps to reproduce (if applicable), and your contact information for follow-up. We will not take legal action against security researchers who report vulnerabilities in good faith and in accordance with responsible disclosure practices.