Internal document
Data Breach Response Plan
Procedures for identifying, containing, and reporting data breaches under PIPEDA.
This plan outlines VoiceBloom's response procedures in the event of a data breach affecting personal information, as required by the Personal Information Protection and Electronic Documents Act (PIPEDA) and the Breach of Security Safeguards Regulations.
1. Detection and assessment
Monitoring
VoiceBloom monitors for unauthorised access through:
- Supabase audit logs for database access anomalies
- Vercel deployment logs for unauthorised changes
- Stripe webhook alerts for suspicious payment activity
- User-reported incidents via info@voicebloom.ca
Assessment criteria
When a potential breach is identified, assess immediately:
- What personal information was involved? (names, emails, child data, payment info)
- How many individuals are affected?
- Was the information encrypted at the time of the breach?
- Is the breach ongoing or has it been contained?
- Is there a real risk of significant harm to individuals?
Significant harm factors (PIPEDA s. 10.1)
Consider whether the breach could result in:
- Identity theft or fraud
- Financial loss
- Damage to reputation
- Humiliation or embarrassment
- Physical harm (especially relevant for vulnerable children)
- Loss of employment, business, or professional opportunities
2. Containment and investigation
Immediate containment steps
- Revoke all potentially compromised API keys and credentials (Supabase, Stripe, Anthropic, Resend)
- Rotate database passwords and service role keys
- If a user account is compromised, force a password reset for affected accounts
- Disable any compromised API endpoints
- Review and restrict Supabase Row Level Security policies if needed
Investigation
- Review Supabase audit logs to determine what data was accessed
- Review Vercel function logs for unauthorised API calls
- Identify the attack vector (leaked credentials, vulnerability, social engineering)
- Determine the full scope of affected records
- Document findings with timestamps
3. Notification requirements (PIPEDA)
When notification is required
Under PIPEDA section 10.1, VoiceBloom must report a breach to the Privacy Commissioner of Canada and notify affected individuals if the breach creates a real risk of significant harm.
Notify the Privacy Commissioner of Canada
- When: As soon as feasible after determining a real risk of significant harm exists
- How: Submit a breach report via the Office of the Privacy Commissioner's online form
- Phone: 1-800-282-1376
- Include: Description of the breach, types of personal information involved, number of individuals affected, steps taken to reduce risk, contact information
Notify affected individuals
- When: As soon as feasible after determining a real risk of significant harm
- How: Direct notification by email to affected users
- Include: Description of what happened, what personal information was involved, steps VoiceBloom is taking, steps the individual can take to protect themselves, contact information for questions
Record keeping
PIPEDA requires VoiceBloom to keep a record of every breach of security safeguards involving personal information under its control, regardless of whether it met the threshold for reporting. Records must be retained for at least 24 months.
4. User notification template
Subject: Important security notice about your VoiceBloom account
Dear [Name],
We are writing to inform you of a security incident that may have affected your personal information on VoiceBloom.
What happened:
On [date], we identified [description of breach]. We immediately [containment steps taken].
What information was involved:
The following types of personal information may have been affected: [list — e.g., email addresses, child profile names, session data].
What we are doing:
We have [steps taken — e.g., revoked compromised credentials, patched the vulnerability, engaged a security review]. We have reported this incident to the Privacy Commissioner of Canada.
What you can do:
- Change your VoiceBloom password immediately
- If you use the same password elsewhere, change those passwords too
- Monitor your accounts for suspicious activity
- Review your child's profile data in your account settings
Contact us:
If you have questions, please contact us at
info@voicebloom.ca.
We sincerely apologise for this incident and are committed to protecting your family's data.
The VoiceBloom Team
5. Reporting to authorities
Office of the Privacy Commissioner of Canada
Information to provide
- Organisation name and contact details (VoiceBloom, info@voicebloom.ca)
- Description of the circumstances of the breach
- Date or estimated date of the breach
- Type of personal information involved
- Number of individuals affected
- Steps taken to reduce risk of harm
- Steps taken to notify affected individuals
6. Post-breach actions
- Conduct a full security review of all systems and access controls
- Rotate all API keys and credentials across Supabase, Stripe, Anthropic, Vercel, and Resend
- Review and tighten Row Level Security policies
- Update security headers and CORS configuration if relevant
- Engage an independent security assessment if the breach was severe
- Update this response plan with lessons learned
- Brief the team on what happened and how to prevent recurrence
- Publish a transparent post-incident report if appropriate
7. Contact information
Security and privacy contact: info@voicebloom.ca
Privacy Officer: Contact via info@voicebloom.ca
Website: voicebloom.ca
This plan was last reviewed on April 13, 2026. It should be reviewed and updated at least annually or after any security incident.