Incident Response Process
This document describes how LevelSixLabs detects, contains, investigates, and reports security incidents and personal data breaches, including our UK GDPR notification commitments.
Download Word version (.docx)1. Purpose and scope
This process applies to any actual or suspected security incident affecting the confidentiality, integrity, or availability of the LevelSixLabs platform or the data it holds — including personal data breaches as defined by the UK GDPR.
2. What counts as an incident
- Unauthorised access to, or disclosure of, customer or personal data
- Loss or accidental destruction of data
- Unauthorised alteration of data
- Compromise of credentials, access tokens, or infrastructure
- Successful exploitation of a vulnerability in the platform or a sub-processor
- Prolonged unavailability of the service affecting data integrity
- A personal data breach: a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data
3. Severity levels
| Level | Definition | Target initial response |
|---|---|---|
| Critical | Confirmed breach of personal data, or active compromise of production systems | Immediate — within 1 hour |
| High | Suspected breach, or vulnerability with high likelihood of data exposure | Within 4 hours |
| Medium | Contained issue with limited impact and no confirmed data exposure | Within 1 business day |
| Low | Minor issue, no data impact (e.g. isolated misconfiguration) | Within 3 business days |
4. Response lifecycle
1. Detection & reporting. Incidents may be identified through monitoring, provider alerts (Supabase, Vercel, Stripe), error tracking, or external reports to security@levelsixlabs.com. All reports are logged with a timestamp.
2. Triage & severity assignment. The incident is assessed, assigned a severity level, and an owner is designated to coordinate the response.
3. Containment. Immediate steps to limit impact — e.g. revoking compromised credentials/tokens, disabling affected accounts, isolating systems, or rolling back a deployment.
4. Investigation. Determine the root cause, the scope of affected data and data subjects, and the timeline, using audit logs and provider logs.
5. Eradication & recovery. Remove the cause, patch the vulnerability, restore from known-good backups where needed, and verify integrity before restoring normal service.
6. Notification. Notify affected customers, and the ICO and/or data subjects where required (Section 5).
7. Post-incident review. Document the incident, lessons learned, and corrective actions to reduce the likelihood of recurrence.
5. Notification commitments (UK GDPR)
- Where LevelSixLabs is a processor: we notify the affected customer (controller) without undue delay, and in any event within 72 hours of becoming aware of a personal data breach affecting their data.
- Where LevelSixLabs is a controller (our own account/billing data) and the breach is likely to result in a risk to individuals' rights and freedoms: we notify the ICO within 72 hours of becoming aware.
- Where the breach is likely to result in a high risk to individuals: we notify affected data subjects without undue delay.
Each notification will include, to the extent known:
- The nature of the breach and categories/approximate number of data subjects and records affected
- The name and contact details of our data protection contact
- The likely consequences of the breach
- The measures taken or proposed to address it and mitigate adverse effects
6. Roles and responsibilities
| Role | Responsibility |
|---|---|
| Incident owner | Coordinates the end-to-end response and decision-making |
| Technical lead | Containment, investigation, eradication and recovery |
| Data protection contact | Assesses notification obligations and liaises with the ICO and affected parties |
| Customer communications | Drafts and sends customer notifications and status updates |
7. Record-keeping
All personal data breaches are documented — including the facts, effects, and remedial action taken — regardless of whether they are notifiable, in line with UK GDPR accountability requirements. The platform's audit log supports forensic investigation of in-app actions.
8. Testing and review
This process is reviewed at least annually and after any significant incident. As the platform matures, response procedures and tooling are refined accordingly. Questions about this process can be directed to security@levelsixlabs.com.
LevelSixLabs Ltd
Registered in Scotland, United Kingdom.
For any questions about this document, contact us at privacy@levelsixlabs.com