| Item | Details |
|---|---|
| Owner | Simple Software Development LLC |
| Product | Edminhub |
| Purpose | To define how suspected or confirmed security, privacy, or operational incidents affecting Edminhub are reported, assessed, contained, resolved, and communicated. |
| Contact | info@simplesoftwaredevelopment.com |
| Website | www.simplesoftwaredevelopment.com |
| Address | 131 Continental Dr, Suite 305, Newark, Delaware |
1. Purpose
This Incident Response Procedure explains how Simple Software Development LLC responds to suspected or confirmed incidents affecting Edminhub, including security incidents, privacy incidents, availability incidents, data integrity concerns, unauthorised access, and suspected misuse of the platform.
The procedure is intended to support timely, proportionate, and documented responses to incidents while protecting schools, learners, parents, teachers, Edminhub, Simple Software Development LLC, and its directors, officers, employees, contractors, and affiliates.
This document is an operational procedure and does not create any warranty, guarantee, certification, or liability beyond what is expressly agreed in the applicable SaaS Subscription Agreement, Data Processing Agreement, or other written agreement with the school.
2. Scope
This procedure applies to incidents that may affect:
- the Edminhub application, infrastructure, databases, files, backups, integrations, email services, or administrative tools;
- school data, learner data, parent or guardian data, teacher data, staff data, or user account information processed through Edminhub;
- confidentiality, integrity, availability, authenticity, or auditability of information processed through Edminhub;
- the ability of schools to access or use the Edminhub service; and
- security or privacy concerns reported by schools, users, employees, contractors, hosting providers, or security tools.
This procedure does not apply to incidents caused entirely by school-controlled systems, school devices, internal school processes, or third-party services selected independently by the school, except where Simple Software Development LLC provides reasonable support at its discretion or under a written agreement.
3. Guiding Principles
| Principle | Meaning |
|---|---|
| Protect learners and schools | Incidents involving learner information are treated with appropriate seriousness and care. |
| Act proportionately | The response should match the severity, scope, and likely impact of the incident. |
| Contain first | Immediate steps should prioritise containment, service stability, and prevention of further harm. |
| Preserve evidence | Logs, timestamps, screenshots, system records, and communications should be preserved where reasonably possible. |
| Communicate carefully | External communication should be accurate, controlled, and limited to verified information. |
| Avoid admission of liability | Incident notifications should explain facts and actions taken, without accepting fault, liability, or legal conclusions unless approved by management and legal advisers. |
| Improve controls | Lessons learned should be used to strengthen Edminhub's security, privacy, and operational controls over time. |
4. Definitions
| Term | Definition |
|---|---|
| Incident | Any event that may compromise the confidentiality, integrity, availability, security, or privacy of Edminhub, customer data, learner data, or platform operations. |
| Security incident | An incident involving suspected or confirmed unauthorised access, malware, credential misuse, vulnerability exploitation, denial of service, data alteration, or system compromise. |
| Privacy incident | An incident involving suspected or confirmed unauthorised access to, disclosure of, loss of, alteration of, or misuse of personal information. |
| Data breach | A confirmed privacy or security incident that results in unauthorised access to, disclosure of, loss of, or compromise of personal information or customer data. |
| Customer Data | Data submitted to Edminhub by or on behalf of a school, including learner, parent, guardian, teacher, staff, academic, attendance, disciplinary, document, and user account information. |
| Affected School | A school whose data, users, account, service access, or operations may be affected by an incident. |
5. Incident Severity Classification
| Severity | Description | Examples | Initial target response |
|---|---|---|---|
| Critical | Confirmed or strongly suspected major compromise, material data breach, ransomware, service-wide outage, or incident affecting many schools or sensitive learner data. | Unauthorised database access, large-scale data exposure, ransomware, compromise of production admin credentials. | Immediate triage as soon as reasonably possible. |
| High | Significant incident affecting one or more schools, sensitive records, account security, availability, or data integrity, but not yet assessed as critical. | Suspicious privileged access, confirmed vulnerability exposure, school account takeover, extended service outage. | Same business day where reasonably possible. |
| Medium | Limited incident with contained impact, low volume of affected data, or suspected issue requiring investigation. | Incorrect permission on limited records, minor misconfiguration, suspicious login attempt, partial feature disruption. | Within a reasonable support period. |
| Low | Minor event, false positive, support issue, or concern with no confirmed data exposure or operational impact. | User error, duplicate account, minor logging alert, low-risk configuration query. | Handled through normal support channels. |
Severity may be updated as more information becomes available. Initial classification should not be treated as a final legal or technical conclusion.
6. Roles and Responsibilities
| Role | Responsibilities |
|---|---|
| Incident Lead | Coordinates the response, assigns actions, maintains the incident record, and escalates to management where required. |
| Technical Lead | Investigates technical cause, reviews logs, contains threats, restores affected services, and recommends remediation. |
| Data Protection / Privacy Lead | Assesses whether personal information or learner information may be affected and advises on customer notification needs. |
| Management / Director Approval | Approves high-risk external communication, legal escalation, regulator engagement, customer notices, and material business decisions. |
| Support Contact | Receives reports from schools, logs issues, provides approved updates, and avoids speculative or unauthorised statements. |
| School / Customer Contact | Provides relevant information, manages its own users and devices, communicates internally, and handles parent or learner requests where applicable. |
7. Reporting an Incident
Suspected incidents should be reported promptly to Simple Software Development LLC using the designated contact channel.
Primary contact: info@simplesoftwaredevelopment.com
Schools should include as much relevant information as possible, including:
- school name and contact person;
- date and time the issue was first noticed;
- affected user accounts, learners, classes, records, or features;
- screenshots, error messages, suspicious emails, or relevant examples;
- whether unauthorised access, data loss, or disclosure is suspected;
- steps already taken by the school, including password resets or user removal; and
- urgency and operational impact on the school.
Users and schools should not attempt to test, exploit, escalate, or publicly disclose a suspected vulnerability or incident without written approval from Simple Software Development LLC.
8. Incident Response Process
8.1 Identification and Logging
When an incident is reported or detected, Simple Software Development LLC will create an incident record where appropriate. The incident record should capture the date and time of report, reporter details, summary of the issue, affected school or system, initial severity, available evidence, and assigned owner.
8.2 Triage and Initial Assessment
The Incident Lead or delegated person will assess whether the report is a security incident, privacy incident, availability issue, support issue, false positive, or other operational matter. The initial assessment should consider affected data, affected users, service impact, exploitability, likelihood of ongoing harm, and whether learner information may be involved.
8.3 Containment
Containment measures may be taken before a full root cause analysis is complete. Depending on the incident, Simple Software Development LLC may:
- disable or restrict affected accounts, API keys, credentials, sessions, or administrative access;
- temporarily suspend affected features, integrations, or access paths;
- block suspicious traffic, IP addresses, user agents, or endpoints where technically possible;
- apply emergency configuration changes, patches, or infrastructure controls;
- isolate affected systems or data stores;
- request that the school reset passwords, remove users, secure devices, or suspend affected internal accounts; and
- temporarily limit service access where necessary to protect platform integrity or customer data.
Containment actions may affect service availability. Simple Software Development LLC may act without prior school approval where immediate action is reasonably necessary to protect the platform, customer data, learner data, other schools, or the wider service environment.
8.4 Investigation
The Technical Lead will investigate the incident using reasonably available information, which may include application logs, audit logs, database logs, hosting provider logs, access records, configuration history, support records, user reports, and system monitoring.
The investigation should aim to determine:
- what happened;
- when it happened;
- which systems, users, schools, or records may be affected;
- whether personal information or learner information was affected;
- whether the issue is ongoing or contained;
- the likely root cause or contributing factors; and
- what remediation is required.
8.5 Eradication and Remediation
Once the issue is understood, Simple Software Development LLC will take reasonable remediation steps. These may include patching vulnerabilities, correcting configuration, rotating credentials, improving access controls, restoring affected data where possible, enhancing logging, updating procedures, or applying additional security controls.
8.6 Recovery
Recovery focuses on restoring affected services, data, and normal operations where technically possible. Edminhub performs daily backups with a retention period of 7 days. Point-in-time backups may be available where a school makes a special arrangement with Edminhub / Simple Software Development LLC.
Backups are intended for disaster recovery and operational resilience. They are not a substitute for the school's own recordkeeping obligations, internal policies, independent exports, or statutory retention requirements.
8.7 Closure
An incident may be closed when reasonable containment, investigation, remediation, recovery, and required communication steps have been completed. Closure does not prevent Simple Software Development LLC from reopening the incident if new information becomes available.
9. Communication and Notification
Incident communication must be accurate, proportionate, controlled, and based on verified information. Simple Software Development LLC may provide updates to affected schools where appropriate, but it will avoid speculation, legal conclusions, or admissions of liability.
In the event of a confirmed security incident affecting Customer Data or learner information, Simple Software Development LLC will take reasonable steps to notify the affected school where appropriate. Notification timelines may depend on the nature of the incident, applicable legal requirements, operational impact, the status of the investigation, and the information reasonably available at the time.
A notification may include, where appropriate and reasonably available:
- a general description of the incident;
- the approximate date or period of the incident;
- the categories of data or users potentially affected;
- containment and remediation steps taken or underway;
- recommended actions for the school or affected users;
- whether further updates are expected; and
- a contact point for follow-up questions.
The school remains responsible for determining whether it must notify parents, guardians, learners, staff, regulators, insurers, auditors, or other third parties, unless a written agreement or applicable law provides otherwise.
10. Regulatory and Legal Escalation
If an incident may trigger legal, regulatory, contractual, insurance, or law enforcement obligations, management should consider obtaining legal advice before issuing external statements or notices.
Simple Software Development LLC may cooperate with law enforcement, regulators, hosting providers, insurers, or professional advisers where legally required, commercially reasonable, or necessary to protect the platform, customers, learners, or company interests.
Nothing in this procedure should be interpreted as an admission that a reportable breach has occurred. Whether an incident is legally reportable depends on the facts, applicable law, contracts, and professional legal assessment.
11. Evidence Preservation and Documentation
Where reasonably possible, relevant evidence should be preserved. This may include:
- incident reports and support tickets;
- system, database, application, access, and audit logs;
- screenshots and error messages;
- affected account details and timestamps;
- configuration changes and deployment records;
- communication with the school, users, vendors, and advisers;
- containment, remediation, and recovery actions; and
- post-incident review notes and decisions.
Incident records are confidential company records. They may be shared with customers, regulators, insurers, or advisers only where approved by management, legally required, or commercially appropriate.
12. Customer and School Responsibilities During an Incident
Schools play an important role in incident response. The school is responsible for:
| Responsibility | Description |
|---|---|
| Prompt reporting | Notify Simple Software Development LLC promptly of suspected unauthorised access, account compromise, data issues, or suspicious activity. |
| Accurate information | Provide relevant details, examples, screenshots, affected users, and timelines. |
| User management | Disable or update school-controlled user accounts, roles, permissions, passwords, and devices where needed. |
| Internal communication | Manage communication with staff, parents, guardians, learners, boards, regulators, or other parties where required. |
| Lawful decisions | Determine whether and how parent, guardian, learner, staff, or regulator notification is required. |
| Device and network security | Secure school devices, browsers, networks, email accounts, and endpoint protection. |
| Cooperation | Avoid actions that may worsen the incident, destroy evidence, or interfere with containment and investigation. |
13. Security Incident Examples
| Example | Likely response |
|---|---|
| Teacher account suspected to be compromised | Disable account or sessions, request password reset, review logs, check affected records, advise school on user access controls. |
| Learner records visible to the wrong user role | Investigate role configuration, correct permissions, identify affected records and users, notify school where appropriate. |
| Potential vulnerability reported by a user | Log report, assess exploitability, prioritise remediation, avoid public disclosure until resolved. |
| Platform outage | Investigate infrastructure, application, hosting, or third-party causes, restore service, provide updates where appropriate. |
| Suspected unauthorised database access | Escalate as high or critical, contain access, preserve logs, rotate credentials, investigate data impact, notify affected schools where appropriate. |
| Data accidentally deleted by school user | Assess available recovery options, including daily backups or special point-in-time arrangements where applicable, subject to technical feasibility and agreement terms. |
14. Post-Incident Review
For material incidents, Simple Software Development LLC may perform a post-incident review. The purpose is to identify lessons learned and improve controls, not to create admissions of liability or fault.
The review may consider:
- root cause or likely contributing factors;
- effectiveness of detection, containment, communication, and recovery;
- whether technical controls, monitoring, access controls, backups, or procedures should be improved;
- whether school guidance or user training should be updated;
- whether service agreements, privacy documents, or security documentation require updates; and
- whether follow-up actions should be tracked to completion.
15. Confidentiality and Public Statements
Incident details, security weaknesses, system architecture, logs, technical findings, and customer-specific information are confidential. Schools and users must not publish or disclose incident details, vulnerabilities, screenshots, exploit methods, or security communications without prior written approval from Simple Software Development LLC, except where disclosure is legally required.
Only authorised representatives of Simple Software Development LLC may issue public statements about Edminhub incidents. Support staff, contractors, and technical personnel should not make public statements or legal conclusions unless specifically authorised.
16. Limitation of Responsibility
Simple Software Development LLC will use reasonable efforts to respond to incidents affecting Edminhub. However, no system, procedure, backup, security control, or incident response process can guarantee complete prevention, detection, recovery, or elimination of all harm.
To the fullest extent permitted by applicable law, Simple Software Development LLC, its directors, officers, members, employees, agents, contractors, and affiliates shall not be liable for indirect, incidental, special, punitive, exemplary, or consequential loss arising from an incident, including loss of data, loss of profits, business interruption, reputational harm, regulatory penalties, third-party claims, or claims arising from the school's own use, misuse, configuration, administration, devices, users, networks, or third-party services.
Nothing in this procedure expands Simple Software Development LLC's liability beyond the limits agreed in the applicable SaaS Subscription Agreement, Data Processing Agreement, or other written contract with the school.
17. Alignment with Other Edminhub Documents
This procedure should be read together with:
- Edminhub Security and Privacy Statement;
- Edminhub SaaS Subscription Agreement;
- Edminhub Data Processing Agreement;
- Edminhub Child Data Protection Statement; and
- Edminhub Security Overview.
If there is a conflict between this procedure and a signed agreement, the signed agreement should prevail to the extent of the conflict, unless otherwise required by applicable law.
18. Review and Updates
Simple Software Development LLC may review and update this Incident Response Procedure from time to time to reflect changes in Edminhub, hosting arrangements, legal requirements, security practices, operational experience, or lessons learned from incidents.
Updates may be communicated to schools through appropriate channels, including email, platform notices, updated documentation, or revised agreements where appropriate.
19. Contact
Questions about incident reporting, security, privacy, or Edminhub data protection may be directed to:
Simple Software Development LLC
Product: Edminhub
Email: info@simplesoftwaredevelopment.com
Website: www.simplesoftwaredevelopment.com
Address: 131 Continental Dr, Suite 305, Newark, Delaware
20. Appendix A: Incident Record Template
The following template may be used as a starting point for logging incidents:
| Field | Details |
|---|---|
| Incident ID | [Insert reference number] |
| Date and time reported | [Insert date and time] |
| Reported by | [Name, school, contact details] |
| Initial severity | Critical / High / Medium / Low |
| Incident type | Security / Privacy / Availability / Data Integrity / Support / Other |
| Affected school or customer | [Insert school name] |
| Affected systems or features | [Insert details] |
| Affected data categories | Learner / parent / teacher / staff / account / system / other |
| Initial description | [Summarise issue] |
| Containment actions | [Record steps taken] |
| Investigation notes | [Record findings] |
| Customer notification | Yes / No / Pending / Not applicable |
| Remediation actions | [Record fixes] |
| Recovery status | Open / Monitoring / Resolved / Closed |
| Closure date | [Insert date] |
| Lessons learned | [Insert notes] |