Security Incident Response Plan

Lecxa Pty Ltd – Security Incident Response Plan (SIRP)

Last Updated: August 29, 2025
Policy Owner: Luke Howard
Version: 0.1

1.0 Purpose and Scope

This plan establishes Lecxa Pty Ltd’s framework for detecting, reporting, containing, and resolving security incidents. Its purpose is to minimize impact on merchants, their customers, and Lecxa operations, while ensuring compliance with applicable laws, including the Australian Privacy Act, the Shopify Partner Program requirements, and contractual obligations with third-party providers.
This plan applies to all systems, applications, and data managed by Lecxa, and to all staff, contractors, and agents.

2.0 Definition of a Security Incident

A security incident is any event that may compromise the confidentiality, integrity, or availability of Lecxa systems, data, or services. Examples include:
  • Unauthorized access to Restricted data (e.g., Shopify Protected Customer Data).
  • Data leakage or exfiltration.
  • Malicious code injection, ransomware, or system compromise.
  • Service outages caused by denial-of-service or misconfiguration.
  • Loss or theft of a device containing Restricted data.
  • Breach of a third-party processor that handles Lecxa data.

3.0 Roles and Responsibilities

  • Incident Response Lead (Luke Howard):
      • Owns the response process, authorises containment and recovery actions, and coordinates communication with affected merchants, regulators, and Shopify.
  • Engineering Team:
      • Investigates technical details, applies patches, isolates compromised systems, and assists with forensic analysis.
  • All Staff:
      • Must report suspected incidents immediately to the Incident Response Lead via the designated incident reporting channel.

4.0 Incident Response Lifecycle

4.1 Preparation

  • Maintain up-to-date contact list for staff, third-party providers (e.g., Supabase, Stripe, AWS).
  • Ensure logging, monitoring, and alerting are active across production systems.
  • Conduct quarterly reviews of incident response readiness.

4.2 Detection and Reporting

  • Staff, automated alerts, or third-party notifications may trigger an incident report.
  • Incidents must be reported immediately to info@lecxa.com.au (or internal Slack channel if appropriate).
  • Minimum information to report:
    • Time and date of discovery.
    • System or data involved.
    • Description of suspicious activity.
    • Reporter’s name and contact.

4.3 Triage and Classification

Incidents are classified as:
  • Low Severity: No Restricted data exposure, minor service disruption.
  • Medium Severity: Possible exposure of Restricted data, limited scope, contained quickly.
  • High Severity: Confirmed exposure of Restricted data, or prolonged service outage impacting multiple merchants.

4.4 Containment

  • Immediately disable compromised accounts, revoke API keys, or block malicious IPs.
  • Isolate affected systems from production if required.
  • Preserve forensic evidence (logs, database snapshots) before making major changes.

4.5 Eradication and Recovery

  • Remove malware, malicious code, or unauthorised access routes.
  • Patch vulnerabilities and rotate credentials.
  • Restore systems from clean backups where needed.
  • Closely monitor systems for reoccurrence.

4.6 Notification and Communication

  • Merchants: Notify impacted merchants without undue delay if their data was exposed or service significantly disrupted. Provide:
    • Nature of incident.
    • Data affected.
    • Steps taken by Lecxa.
    • Guidance on merchant responsibilities.
  • Regulators: Notify the OAIC (Australia) if a breach meets the “Notifiable Data Breach” threshold (serious harm likely).
  • Shopify: Notify via the Partner Dashboard if incident involves Shopify Protected Customer Data.

4.7 Post-Incident Review

  • Conduct a root-cause analysis within 10 business days.
  • Document lessons learned and update policies, controls, or procedures.
  • Report findings to leadership and log them in the Incident Register.

5.0 Documentation

All incidents must be documented in the Lecxa Security Incident Register, including:
  • Incident description.
  • Timeline of events.
  • Containment and recovery steps taken.
  • Notifications made.
  • Final resolution.

6.0 Policy Enforcement

Failure by staff to comply with this plan may result in disciplinary action. This plan will be reviewed annually or following any significant incident.