Data Breach Process

1. What counts as a personal-data breach

Under UK GDPR Article 4(12), a personal-data breach is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.” The three classical categories are:

• Confidentiality breach: unauthorised or accidental disclosure of, or access to, personal data.
• Integrity breach: unauthorised or accidental alteration of personal data.
• Availability breach: accidental or unauthorised loss of access to, or destruction of, personal data — including permanent loss of encryption keys, ransomware, and prolonged outages where the data is inaccessible.

We treat any confirmed incident in one of these categories as a breach and start the process in section 2, even before we have decided whether external notification is required.

2. Timeline at a glance

The clock for ICO notification under Article 33(1) starts when Crocker Digital Ltd becomes “aware” of the breach. “Aware” means we have a reasonable degree of certainty that a security incident has occurred and that it has led to personal data being compromised — not merely when a suspicious signal reaches us.

• T0 — Detection. Suspicious signal received (monitoring alert, user report, subprocessor notification, security researcher disclosure). Triage begins.
• T0 + up to 24 hours — Internal assessment complete. Our internal target is to complete the initial assessment within 24 hours of T0. The assessment determines whether a breach has occurred, the categories and approximate volume of data affected, whether it poses a risk to individuals, and whether ICO notification is required. This 24-hour target is a CraftCert commitment — not a regulatory deadline — and it is designed so the 72-hour ICO window cannot slip because of internal delay.
• T0 + up to 72 hours — ICO notification (if required). If the assessment concludes that the breach is likely to result in a risk to the rights and freedoms of individuals, we notify the ICO within 72 hours of becoming aware, as required by UK GDPR Article 33(1). If we miss the 72 hours for any reason, the notification is still submitted and is accompanied by the reasons for the delay.
• Without undue delay — Notifying affected individuals (if required). If the breach is likely to result in a high risk to individuals' rights and freedoms, affected users are notified directly without undue delay under Article 34(1). In practice we aim to complete user notification within 72 hours of confirming the breach affects identifiable individuals, unless an ongoing forensic investigation or law-enforcement request requires us to wait.

3. Stage 1 — Detection and triage (T0 to T0 + 24h)

All breach signals funnel to support@craftcert.co.uk, which is monitored during UK business hours and paged out of hours for Sentry-flagged production errors matching our security incident ruleset (authentication anomalies, row-level-security policy failures, webhook signature failures, Stripe dispute spikes).

Within the first 24 hours we:

• Acknowledge the signal and create a tracked incident with a unique reference (CCI-YYYYMMDD-NN).
• Identify and contain the immediate cause — revoke compromised credentials, rotate affected secrets, isolate any affected subprocessor integrations, disable the exploited code path if applicable.
• Preserve logs, database audit entries, and relevant Stripe, Supabase, and Netlify event streams for forensic analysis. The CraftCert audit_log table and Supabase database logs are the primary evidence sources.
• Scope the breach: identify affected users, categories of data, and approximate volume. The following data categories are the ones we process and therefore the ones in scope of any incident: account email and name, product and formulation data, Stripe customer references, and login session tokens. We do not process payment card data (Stripe handles that directly).
• Decide whether ICO notification is required using the UK GDPR risk-based test and document the reasoning — whether or not the test results in notification.

4. Stage 2 — ICO notification (by T0 + 72h)

If the assessment concludes that notification is required, we submit a breach report to the ICO via their online form at ico.org.uk/for-organisations/report-a-breach/, or by phoning the ICO helpline on 0303 123 1113 if the form is unavailable.

The report includes the mandatory Article 33(3) content:

• The nature of the breach, including categories and approximate numbers of data subjects and records concerned.
• Name and contact details of the controller (Crocker Digital Ltd) and, where applicable, of the Data Protection Officer or single point of contact.
• Likely consequences of the breach.
• Measures taken or proposed to address the breach and mitigate its adverse effects, including, where appropriate, measures to mitigate risk to individuals.

Where information is not fully available within 72 hours, the initial notification flags the missing fields and is followed by a Phase 2 update without undue delay, as Article 33(4) expressly permits.

5. Stage 3 — Notifying affected individuals

If the breach is likely to result in a high risk to affected individuals, those individuals are notified directly under Article 34. The notification is sent by email from security@craftcert.co.uk to the email address associated with the affected account. Each notification includes, in plain English:

• The nature of the breach.
• Contact details of the single point of contact for further information.
• Likely consequences for the individual and concrete steps we recommend — for example, rotating passwords used across services, enabling MFA where supported, watching for phishing that references CraftCert.
• Measures we have taken to address the breach and to prevent recurrence.

If the volume of affected individuals makes direct notification disproportionate, we will additionally publish a notice on /security and signed-in dashboard banners, and cooperate with the ICO on any required public communication, in line with Article 34(3)(c).

6. Stage 4 — Post-incident review

Within 14 days of closing the incident, Crocker Digital Ltd completes and retains a written post-incident review covering:

• Detection-to-containment and containment-to-notification timelines.
• Root cause and contributing factors.
• Remediation actions with owners and target completion dates (code fixes, configuration changes, process changes, vendor changes).
• An update to our risk register and, where appropriate, to this page or to the /security page so the description of our controls stays accurate.

We retain breach records and post-incident reviews internally for at least three years, which meets or exceeds ICO expectations under Article 33(5) (the accountability requirement to document all breaches, regardless of whether they were notifiable).

7. How to report a suspected breach

If you believe you have discovered a security vulnerability or a personal-data breach affecting CraftCert:

• Email support@craftcert.co.uk with the subject line “Security Report”.
• Describe what you observed and how to reproduce it. Include the exact URL, the approximate UTC time, any error messages, and the steps you took.
• Do not publicly disclose until we have had a reasonable opportunity to investigate and fix. Our target is to acknowledge receipt within 24 hours and resolve confirmed issues within 14 days.

8. Escalating to the ICO directly

If you are dissatisfied with how Crocker Digital Ltd has handled a breach that affects you, you have the right to complain directly to the Information Commissioner's Office:

• ico.org.uk/make-a-complaint/
• Phone: 0303 123 1113 (local rate)
• Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

Using our process first is not a prerequisite for contacting the ICO, but the ICO typically asks whether you have.

9. Contact

Crocker Digital Ltd, Company No. 17008789
71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom
support@craftcert.co.uk