Breach Response Protocol

Level Up Classroom Inc. — Last updated April 2026

1. Purpose

This protocol establishes how Level Up Classroom Inc. detects, responds to, and reports personal data breaches involving student information across all products operated by Level Up Classroom Inc., including LevelUpClassroom.com and OSSLTPrep.com.

2. Scope

This protocol applies to all systems processing student personal information, including:

  • Google Firebase / Firestore (database — Toronto, Canada)
  • Firebase Authentication (user accounts)
  • Netlify Functions (serverless API layer)
  • Anthropic API (AI features — report comments, essay grading on Level Up Classroom)
  • OpenAI API (AI essay grading, writing feedback on OSSLTPrep)
  • Google Authentication (OAuth sign-in)

3. Definitions

  • "Breach" means unauthorized access to, disclosure of, alteration of, or loss of personal information held by Level Up Classroom Inc.
  • "Personal Information" includes student names, student numbers, email addresses, grades, attendance records, assessment responses, written work, and parent/guardian contact information.
  • "Significant Breach" means a breach that creates a real risk of significant harm to affected individuals, as evaluated under PIPEDA section 10.1.

4. Incident Response Leadership

Privacy Officer: Reece Cantelon
Email: reece@levelupclassroom.com
Role: All incident response decisions, notifications, and communications.

5. Response Phases

Phase 1 — Detection & Initial Assessment (0–4 hours)

  • Identify the breach through monitoring, logs, user reports, or third-party notification
  • Assess initial scope: what data was affected, how many users, what systems were involved
  • Document all findings with timestamps
  • Determine if the breach is ongoing and take immediate action to stop further exposure

Phase 2 — Containment (4–24 hours)

  • Rotate any compromised credentials (API keys, service accounts, database access)
  • Isolate affected systems if necessary
  • Preserve evidence and logs for investigation
  • Implement temporary safeguards to prevent recurrence

Phase 3 — Notification (within 72 hours of confirmation)

  • Affected school boards and institutions: Notify with details of the scope, affected data, actions taken, and recommended steps
  • Office of the Privacy Commissioner of Canada: Notify if the breach constitutes a significant breach under PIPEDA (real risk of significant harm)
  • Affected students and parents: Notify as directed by the school board, or directly if no board agreement is in place, with clear description of affected data and protective steps

Phase 4 — Remediation (1–7 days)

  • Complete root cause analysis
  • Deploy permanent fixes to the identified vulnerability
  • Verify containment is effective and no further exposure is occurring
  • Strengthen monitoring and security controls as needed

Phase 5 — Review & Documentation (within 30 days)

  • Prepare a complete incident report with timeline, root cause, impact, and response actions
  • Update security policies, procedures, and technical controls based on lessons learned
  • Communicate findings and improvements to affected school boards
  • Archive the incident record

6. Record Retention

All breach records — including incident details, assessment documentation, notification records, and remediation actions — are maintained for a minimum of 24 months from the date of the incident, as required by PIPEDA.

7. Reporting a Suspected Incident

If you suspect a security incident or data breach involving Level Up Classroom or OSSLTPrep, please contact us immediately:

Email: reece@levelupclassroom.com
Subject line: SECURITY INCIDENT — [brief description]

We take all reports seriously and will acknowledge receipt within 24 hours.

8. Related Documents

Level Up Classroom Inc. — levelupclassroom.com — reece@levelupclassroom.com

This document applies to all products operated by Level Up Classroom Inc.