Morphee Data Breach Response Plan
DRAFT — Requires legal review before adoption.
This document was generated as part of GDPR compliance work (Art. 33, Art. 34). It must be reviewed by qualified legal counsel and adopted as an organizational policy.
Last updated: 2026-02-13
1. Purpose
This plan establishes the process for detecting, containing, assessing, notifying, and remediating personal data breaches affecting Morphee users, in compliance with GDPR Articles 33 and 34.
2. Definitions
- Personal data breach (Art. 4(12)): A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data.
- Supervisory authority: The relevant data protection authority (e.g., CNIL for France, ICO for UK).
- Data subjects: Morphee users whose personal data is affected.
3. Breach Response Team
| Role | Responsibility | Contact |
|---|---|---|
| Incident Lead | [To be assigned] | Coordinates the response, makes notification decisions |
| Technical Lead | [To be assigned] | Investigates root cause, implements containment |
| Legal/DPO | Sébastien Mathieu (privacy@morphee.app) | Assesses legal obligations, drafts notifications |
| Communications | [To be assigned] | Handles user and public communications |
4. Detection
4.1 Current Detection Capabilities
- Application logs (structured JSON via
get_logger) - Database audit trail (PostgreSQL logs)
- Authentication events (Supabase Auth logs)
4.2 Planned Detection Improvements
- Security event monitoring (Sentry or equivalent)
- Failed authentication rate alerting
- Anomalous data access pattern detection
- Database query auditing for bulk data access
- File integrity monitoring for Git memory repos
4.3 Reporting Channels
Any team member who suspects a breach must immediately report to the Incident Lead via:
- Email: [security@morphee.app]
- Emergency phone: [To be determined]
5. Response Procedure
Phase 1: Containment (0-4 hours)
- Confirm the breach — verify that personal data was actually compromised
- Contain the breach — take immediate action to stop ongoing data loss:
- Revoke compromised credentials/tokens
- Isolate affected systems
- Block malicious IP addresses
- Disable affected user accounts if necessary
- Preserve evidence — save relevant logs, database states, and system snapshots
- Assess scope — determine which data, users, and systems are affected
Phase 2: Assessment (4-24 hours)
Evaluate the breach against the following criteria:
| Factor | Assessment |
|---|---|
| Nature of data | What types of personal data? (names, emails, conversations, AI memories, credentials) |
| Volume | How many data subjects affected? |
| Sensitivity | Does it include children's data, health info, or financial data? |
| Consequences | Risk of identity theft, discrimination, financial loss, reputational damage? |
| Reversibility | Can the breach effects be reversed? |
| Encryption | Was the data encrypted? (reduces risk assessment) |
Phase 3: Notification (24-72 hours)
Supervisory Authority (Art. 33) — within 72 hours
Must notify unless the breach is unlikely to result in a risk to rights and freedoms.
Notification must include:
- Nature of the breach (categories and approximate number of data subjects/records)
- Name and contact details of DPO or other contact point
- Likely consequences of the breach
- Measures taken or proposed to address the breach
How to notify:
- France (CNIL): https://notifications.cnil.fr/notifications/
- UK (ICO): https://ico.org.uk/for-organisations/report-a-breach/
- Other: Contact the relevant national DPA
Data Subjects (Art. 34) — without undue delay
Must notify if the breach is likely to result in a high risk to rights and freedoms.
Notification must include:
- Description of the breach in clear and plain language
- Name and contact details of DPO or other contact point
- Likely consequences
- Measures taken or proposed, including mitigation steps users should take
How to notify:
- Email to affected users
- In-app notification banner
- Privacy page update on the website
Exceptions to user notification (Art. 34(3)):
- Data was encrypted (unintelligible to unauthorized persons)
- Subsequent measures ensure high risk is no longer likely
- Individual notification would involve disproportionate effort (use public communication instead)
Phase 4: Remediation (1-4 weeks)
- Root cause analysis — determine how the breach occurred
- Fix the vulnerability — implement technical/organizational fixes
- Review security measures — update security controls
- Update this plan — incorporate lessons learned
- Re-test — verify the fix prevents recurrence
6. Breach Register (Art. 33(5))
All breaches must be logged, regardless of notification obligation.
Template
| Field | Value |
|---|---|
| Breach ID | BREACH-YYYY-NNN |
| Date detected | |
| Date occurred | |
| Date contained | |
| Description | |
| Data categories | |
| Data subjects affected | |
| Approximate count | |
| Risk assessment | Low / Medium / High |
| SA notified | Yes / No (with justification if No) |
| SA notification date | |
| Users notified | Yes / No (with justification if No) |
| User notification date | |
| Root cause | |
| Remediation actions | |
| Lessons learned |
7. Morphee-Specific Risk Scenarios
| Scenario | Risk Level | Data at Risk | Response Priority |
|---|---|---|---|
| Database compromise | Critical | All user data (emails, names, conversations, memories) | Immediate containment, rotate all credentials |
| Anthropic API key leak | High | Future conversations exposed | Rotate API key, audit recent API calls |
| Supabase Auth compromise | Critical | User credentials, JWTs | Force password resets, revoke all sessions |
| Git memory repo access | Medium | AI-extracted memories per group | Revoke access, assess affected groups |
| Google OAuth token theft | High | Calendar/email data for connected users | Revoke tokens, notify affected users |
| XSS/localStorage theft | High | JWTs for active sessions | Force session invalidation |
| Push token interception | Low | Device identifiers | Rotate affected tokens |
8. Review Schedule
This plan must be reviewed:
- After every breach incident
- At least annually
- When significant system changes are made
- When new data processing activities are added
This breach response plan was drafted on 2026-02-13 and requires legal review before adoption.