🔐Data Breach Response Plan

Effective Date: 25/02/2026

Entity: BettaLearn Pty Ltd | Location: Sydney, Australia

1. Purpose

This Data Breach Response Plan outlines the procedures BettaLearn Pty Ltd (“BettaLearn”) will follow in the event of a suspected or confirmed data breach involving personal information.

The purpose of this Plan is to:

  • Contain and mitigate harm
  • Protect users, particularly minors
  • Comply with applicable privacy laws
  • Ensure timely notification where required

2. Definition of a Data Breach

A data breach includes:

  • Unauthorized access to personal information
  • Unauthorized disclosure of personal information
  • Loss of personal information likely to result in unauthorized access

This includes breaches involving:

  • Parent accounts
  • Student accounts
  • Educator accounts
  • Payment-related information
  • Authentication credentials

3. Immediate Response (Within 0–24 Hours)

Upon becoming aware of a suspected breach:

Step 1: Containment

  • Secure affected systems
  • Disable compromised accounts
  • Reset credentials if necessary
  • Isolate impacted servers or databases

Step 2: Internal Escalation

Notify:

  • Company Director(s)
  • Privacy Officer (if appointed)
  • Technical lead / developer

Record:

  • Date and time discovered
  • How the breach was identified
  • Systems affected

4. Assessment (Within 24–48 Hours)

Conduct an urgent risk assessment:

  • What information was involved?
  • Was Student data affected?
  • Was sensitive information exposed?
  • Was data encrypted?
  • What is the likelihood of harm?

Assess potential risks including:

  • Identity theft
  • Fraud
  • Child safety risks
  • Reputational harm

Document all findings.

5. Legal Notification Requirements

If the breach is likely to result in serious harm, BettaLearn will notify relevant authorities as required.

🇦🇺 Australia

Notify the Office of the Australian Information Commissioner (OAIC) under the Notifiable Data Breaches scheme.

🇬🇧 United Kingdom

Notify the Information Commissioner’s Office (ICO) within 72 hours where required.

🇨🇦 Canada

Notify the Office of the Privacy Commissioner of Canada if there is a real risk of significant harm.

🇳🇿 New Zealand

Notify the Office of the Privacy Commissioner where required.

🇺🇸 United States

Comply with applicable state data breach notification laws.

6. User Notification

Where required by law or where serious harm is likely, affected users will be notified promptly.

Notifications will include:

  • Description of the breach
  • Types of information involved
  • Steps taken to contain it
  • Recommended user actions
  • Contact details for further support

If Student data is involved, Parents will be notified directly.

7. Communication Protocol

All public communication must be:

  • Accurate
  • Transparent
  • Approved by Director(s)
  • Not speculative

Staff must not comment publicly without authorization.

8. Remediation Measures

Following a breach, BettaLearn will:

  • Patch vulnerabilities
  • Strengthen access controls
  • Reset credentials
  • Enhance monitoring systems
  • Review third-party provider security

9. Documentation

Maintain an internal breach register recording:

  • Date of incident
  • Nature of breach
  • Number of affected users
  • Risk assessment outcome
  • Notifications made
  • Remedial actions taken

Records must be retained for compliance purposes.

10. Preventative Measures

BettaLearn commits to:

  • Secure hosting environments
  • Encrypted connections (HTTPS)
  • Role-based access controls
  • Limited internal data access
  • Secure payment processing via Stripe/PayPal
  • Regular software updates

11. Training & Awareness

Directors and relevant team members must:

  • Understand breach reporting obligations
  • Know internal escalation procedures
  • Review this Plan annually

12. Plan Review

This Plan will be reviewed:

  • Annually
  • After any data breach
  • Following significant platform updates