CoParentOS

Security

Incident Response

Version 1.0 · Effective 19 June 2026

Our commitment

CoParentOS maintains a documented incident response plan. When something goes wrong, we follow a structured process to contain the issue, investigate the cause, notify those affected, and prevent it from happening again.

How we detect incidents

We monitor for security issues through multiple channels:

  • Automated monitoring: Error rates, failed login patterns, and unusual API activity
  • Vendor notifications: Alerts from our infrastructure providers
  • Audit log review: Periodic review of system logs for anomalies
  • User reports: Issues reported to security@coparentos.com.au

Response process

Every suspected incident follows a defined lifecycle:

  1. Detection and reporting: Anyone who detects a suspected incident reports it immediately. Suspected incidents are triaged within 4 business hours.
  2. Assessment: We classify the severity and determine the scope. Is personal information involved? Is it likely to cause serious harm?
  3. Containment: We stop the incident from getting worse — revoking compromised credentials, isolating affected systems, preserving evidence.
  4. Investigation: We reconstruct what happened, how, and the full scope of impact.
  5. Remediation: We fix the vulnerability, restore services, and verify the fix.
  6. Notification: If required, we notify affected individuals and regulators (see below).
  7. Post-incident review: We document lessons learned and implement preventive measures.

Notifiable Data Breaches

Under Australia's Notifiable Data Breaches (NDB) scheme, we must notify affected individuals and the Office of the Australian Information Commissioner (OAIC) if a data breach is likely to result in serious harm.

We assess every incident involving personal information against the serious harm threshold:

  • Nature of information: Child data, financial records, and legal documents carry higher risk
  • Who accessed it: An unknown third party vs. an authorised user acting within scope
  • Potential harm: Could the information be used for identity theft, stalking, or harassment?
  • Remediation: Can the exposed data be recovered or deleted?

Notification timeline: assessment completed within 30 days of discovery; OAIC and affected individuals notified as soon as practicable after determining the breach is notifiable.

What we tell you

If your data is involved in a notifiable breach, you will receive:

  • A clear description of what happened and when
  • The types of information involved
  • Steps we've taken to contain and resolve the breach
  • Steps you can take to protect yourself
  • Contact information for further questions
  • Reference to the OAIC complaints process

Notification to both parents

Because CoParentOS household data is shared between two parents, we notify both parents of any data breach affecting the household — even if only one parent's data appears to have been exposed. Shared records mean shared interests.

Testing and improvement

  • Annual tabletop exercises: Simulated incident scenarios with the response team
  • Backup restoration testing: Verified quarterly
  • Credential rotation drills: Tested every 6 months
  • Post-incident reviews: Completed within 5 business days of resolution; lessons applied to prevent recurrence

Report a security concern

If you discover a security vulnerability or suspect a breach, contact us immediately at security@coparentos.com.au. We treat all reports seriously and aim to acknowledge them within 24 hours.

We support responsible disclosure. If you are a security researcher, please give us reasonable time to address the issue before publishing.