Security & Trust

Incident Response

How Obsidia responds when something goes wrong — our severity levels, response time commitments, communication channels, and obligations under the Australian Privacy Act Notifiable Data Breaches scheme.

Severity classification

How we classify incidents

Every incident is assigned a priority level at detection. The level determines response speed, escalation path, and communication obligations.

P0
Critical
Active data breach, confirmed customer data exposed, or complete service outage. All hands. Immediate escalation to leadership and legal counsel.
P1
High
Significant service degradation or potential data exposure under active investigation. Engineering lead engaged immediately.
P2
Medium
Isolated incident with no confirmed data risk and minor service impact. Handled by on-call engineer within normal working hours.
P3
Low
Individual customer issue, abuse report, or non-urgent operational matter. Acknowledged within 24 hours.
Response commitments

What you can expect from us

These are our commitments for incidents that affect your account or the services you depend on.

Commitment P0 Critical P1 High P2 Medium
Status page update Within 15 minutes of detection Within 30 minutes Within 2 hours
Initial customer notification Within 1 hour if your data is affected Within 2 hours if your service is impacted Via status page
Progress updates Every 30 minutes until resolved Every hour until resolved On resolution
Post-incident report Within 5 business days Within 5 business days On request
Communication

How we reach you during an incident

We use multiple channels to make sure the right people know about an incident as quickly as possible.

1
Status page
All incidents are posted to our status page in real time. Bookmark it and subscribe to email or RSS updates. This is always the authoritative source for current service health.
2
Direct email to your account
For P0 and P1 incidents that affect your data or cause material service disruption, we email your account's primary contact directly — we don't rely on you to find the status page.
3
Post-incident report
For P0 and P1 incidents we publish a written post-incident report covering the timeline, root cause, contributing factors, and the specific steps taken to prevent recurrence.
4
Direct contact for data incidents
If your personal data is involved in a breach, we contact you directly via the email address on your account — before we notify the OAIC, and regardless of the number of individuals affected.
Privacy Act compliance

Notifiable Data Breaches (NDB) scheme

Obsidia is an Australian entity subject to the Privacy Act 1988. The Notifiable Data Breaches scheme (Part IIIC) requires us to notify the Office of the Australian Information Commissioner (OAIC) and affected individuals if a data breach is likely to result in serious harm.

We take this obligation seriously and have documented processes in place to meet it.

Our NDB process
30-day assessment — when we become aware of a potential eligible data breach, we begin a formal assessment immediately. We have 30 days to determine whether the breach meets the eligible data breach test under s 26WE of the Privacy Act.

Notification to the OAIC — if the breach is eligible, we notify the OAIC via the online NDB eForm as soon as practicable — we do not wait until day 30.

Notification to affected individuals — we notify affected individuals directly by email wherever possible. If direct notification is not practicable, we post a prominent notice on this site and the status page.

Documentation — we document every incident assessment and its outcome, regardless of whether notification was required. These records are retained for a minimum of five years.

For more information about the NDB scheme, visit oaic.gov.au/privacy/notifiable-data-breaches.
Contact

Report an incident or privacy concern

If you believe you have identified a security vulnerability, a potential data breach, or have a privacy concern, contact us immediately. We treat all reports seriously and respond within one business day.

Security incidents
security@obsidia.com.au
Vulnerabilities & breach reports
Privacy enquiries
privacy@obsidia.com.au
APP requests, NDB notifications
General support
support@obsidia.com.au
Account & service issues