What happens when something goes wrong — and how we respond. This document covers Psychnex's detection-to-notification timeline, regulatory filing deadlines, severity classification system, and the procedures we follow to notify affected users.
24 hrs
NIS2 Early Warning
72 hrs
GDPR Supervisory Authority
72 hrs
CCPA Large-Scale Breach
30 days
GLBA Customer Notice
Deadlines measured from time of confirmed breach discovery
This policy applies to all data security incidents involving Psychnex systems, services, and the personal information of Psychnex users — including Nonpublic Personal Financial Information (NPI), Personally Identifiable Information (PII), youth account data, and behavioral profile data processed by the Psychnex platform.
Psychnex is committed to transparency. We will notify affected users promptly, file all required regulatory reports within applicable deadlines, and publish a public incident summary whenever a breach results in user notification. We will not obscure, minimize, or delay notification for reputational reasons.
Example Incidents
Mass unauthorized access to user NPI/PII, database compromise, credential theft at scale
Response Target
15-min detection → 1-hr containment → 24-hr regulatory notice → immediate user notification
Example Incidents
Limited unauthorized access to individual user records, single-account compromise, API key exposure
Response Target
1-hr detection → 4-hr containment → 72-hr regulatory evaluation → individual user notification
Example Incidents
Attempted unauthorized access (blocked), exposed non-sensitive metadata, misconfigured public endpoint
Response Target
4-hr detection → 24-hr containment → internal review only → no user notification unless data confirmed accessed
Example Incidents
Security configuration drift, expired certificate, failed brute-force with no access gained
Response Target
24-hr detection → 72-hr remediation → logged to POA&M → no notification required
Click any phase to expand the detailed steps. All timelines are for P1/P2 incidents.
CCPA / CPRA
California, USA
Deadline
Expedient notice — no hard statutory deadline, but CPRA enforcement guidance implies ≤ 72 hours for large-scale breaches
Threshold
Unauthorized access to unencrypted PII of California residents
Who to Notify
California Attorney General (if 500+ residents affected); affected individuals
Method
Email + conspicuous website notice
GDPR (EU/EEA)
European Union / EEA
Deadline
72 hours from becoming aware of the breach
Threshold
Breach likely to result in risk to rights and freedoms of natural persons
Who to Notify
Relevant Supervisory Authority (e.g., DPC for Ireland, ICO for UK); affected individuals if high risk
Method
Formal notification to supervisory authority; individual notice if high risk
NIS2 Directive
EU / EEA — essential & important entities
Deadline
24-hour early warning; 72-hour full notification; 1-month final report
Threshold
Significant cybersecurity incident affecting services
Who to Notify
National CSIRT and/or competent authority
Method
NIS2 Incident Report form (/nis2-incident-report); CSIRT portal
GLBA Safeguards Rule
USA — Financial institutions
Deadline
30 days from discovery of a notification event
Threshold
Unauthorized acquisition of unencrypted customer NPI affecting 500+ customers, or where there is reason to believe information will be misused
Who to Notify
FTC (via online portal); affected customers
Method
FTC Breach Report Portal; written notice to customers
COPPA
USA — Child data (under 13)
Deadline
As expedient as possible, consistent with FTC requirements
Threshold
Any unauthorized access to personal information of children under 13
Who to Notify
FTC; affected parents / guardians; DOJ if criminal activity
Method
FTC notification; direct notice to parents via email on file
US-CERT / CISA
USA — Federal contractors / critical infrastructure
Deadline
24 hours for significant cyber incidents (CIRCIA mandate)
Threshold
Significant cyber incident: unauthorized access to federal information systems or critical infrastructure
Who to Notify
CISA (via report.cisa.gov); FBI if criminal activity suspected
Method
CISA incident report portal; US-CERT notification system
State Breach Laws (50-State)
All US States
Deadline
30–60 days (varies by state; most require "expedient" notice)
Threshold
Unauthorized access to PII of state residents; scope and definitions vary by state
Who to Notify
State Attorney General (varies); affected individuals
Method
Written / email notice per state requirements; AG filing where required
Legal Note: This table reflects Psychnex's internal policy targets. Actual regulatory obligations depend on the specific facts of each incident, applicable law at the time, and legal counsel review. Nothing in this document constitutes legal advice. Psychnex retains outside counsel for breach notification compliance.
Using audit_log and Supabase database records, generate a complete list of user IDs, email addresses, and data types affected. Deduplicate and validate email delivery addresses.
Legal and security teams draft the breach notification following FTC plain-language guidance. Must include: what happened, what data was involved, what we are doing, what you can do, and contact information. No jargon.
Legal counsel reviews notification content against applicable regulatory requirements. Executive sign-off required before any subscriber notification is sent. Typically completed within 48 hours of incident confirmation.
Transactional email sent directly to affected user email addresses. Subject line uses clear language: "Important Security Notice from Psychnex." Email includes direct links to change password, enable MFA, and contact support. Delivery tracked and confirmed.
A persistent in-app security alert banner is displayed to affected users on next login. Banner persists until the user acknowledges it. Acknowledgment is logged to audit_log. This catches users whose email notification may be filtered as spam.
A security incident disclosure is posted to the Psychnex status page and trust.psychnex.com/incidents. Includes incident timeline, scope description, and resolution status. Updated as new information is confirmed. Remains visible for minimum 90 days.
For breaches involving NPI or SSN: Psychnex arranges credit monitoring services at no cost to affected users. Dedicated support queue opened for breach-related inquiries. Follow-up email sent 30 days after initial notice with resolution summary.
What happened
Plain-language description of the incident — what was compromised, when, and how it was discovered.
What data was involved
Specific data types accessed (e.g., name, email, financial account data). No vague "may have been accessed" language.
What we are doing
Containment steps already taken, timeline for remediation, and any monitoring Psychnex has put in place.
What you should do
Specific steps: change your password, enable MFA, monitor your accounts, freeze credit if NPI was exposed.
How to contact us
Direct link to dedicated breach support queue, email address, and phone number for affected users only.
Credit monitoring offer
If NPI or financial identifiers were exposed: free credit monitoring enrollment instructions included directly in the email.
For active breaches, suspicious account activity, or data exposure. 24-hour response SLA.
Report NowFor EU/EEA entities with a significant cybersecurity incident. 24-hour early warning required.
Submit NIS2 ReportFound a security vulnerability? Responsible disclosure program active. 90-day embargo honored.
Disclosure GuidelinesFTC (Federal Trade Commission)
US consumer fraud and data breach reports
CFPB
Financial consumer protection complaints
CISA / US-CERT
Critical infrastructure and federal cyber incidents
California AG (CCPA)
California privacy law complaints
EU Supervisory Authorities
GDPR complaints — find your national DPA
IC3 (FBI Cyber)
FBI Internet Crime Complaint Center
If you believe your account may have been compromised, or if you have questions about a security notification you received from Psychnex, contact our security team immediately.
Privacy & Consent