This policy describes how ninthLABS Ventures Pty Ltd (“ninthLABS”) detects, responds to, and communicates security incidents and data breaches affecting the OBEL™ platform.
1. What Constitutes an Incident
A security incident is any event that:
- Results in, or is likely to result in, unauthorised access to, disclosure of, or destruction of customer data
- Materially disrupts the availability or integrity of the OBEL™ Services
- Involves compromise of credentials, API keys, or cryptographic material used to protect customer data
- Constitutes a notifiable data breach under the Australian Privacy Act 1988 (Cth)
We distinguish between security incidents (which may or may not involve personal data) and data breaches (which do involve personal data). Our notification obligations differ accordingly.
2. Incident Response Process
Detection
We monitor platform behaviour, error rates, authentication anomalies, and third-party security advisories continuously. Automated alerting flags anomalous patterns for immediate human review. Internal tamper-evident audit logs are consulted during any investigation.
Triage and Containment
On detection, an incident is assigned a severity (Critical / High / Medium / Low) and an incident commander. Containment steps — including revoking credentials, isolating affected tenants, or disabling affected features — are taken immediately. The platform's FAIL-SHUT design means that in most scenarios, a security gate failure blocks access rather than granting it.
Investigation
Root cause analysis is conducted against audit logs, platform metrics, and infrastructure logs. The scope of affected data and users is determined. External forensic assistance is engaged if required.
Notification
Affected customers are notified by email within the timeframes set out in section 4 below. Where a notifiable data breach under the Notifiable Data Breaches scheme has occurred, the Office of the Australian Information Commissioner (OAIC) is also notified in accordance with Part IIIC of the Privacy Act 1988 (Cth).
Remediation
Root cause is addressed, affected systems are patched or reconfigured, and additional monitoring is deployed. A post-incident review is completed within 14 days for Critical and High severity incidents.
Post-Incident Review
A written summary of the incident, its root cause, and remediation steps is produced internally. For material incidents affecting customer data, a summary is made available to affected customers upon request.
3. How to Report a Security Issue
If you believe you have found a security vulnerability or have witnessed suspicious activity involving OBEL™, contact us immediately:
Security team
security@ninthlabs.aiWe acknowledge all reports within 24 hours and provide a substantive response within 48 hours. Critical vulnerabilities are triaged immediately. We will not pursue legal action against responsible disclosures made in good faith.
Where possible, include: a description of the vulnerability, steps to reproduce, and the potential impact. Encrypted communication is available on request.
4. Notification Timelines
| Severity | Customer notification | Regulator notification |
|---|---|---|
| Critical — data exfiltration or system compromise | Within 24 hours | As required by NDB scheme |
| High — significant impact to availability or data integrity | Within 48 hours | As required by NDB scheme |
| Medium — limited impact, no confirmed data exposure | Within 5 business days | If NDB threshold met |
| Low — minimal impact, no data exposure | In next scheduled update | Not required |
The NDB scheme requires notification to the OAIC and affected individuals where a data breach is likely to result in serious harm. We assess each incident against this threshold and err on the side of notification.
5. Customer Responsibilities
Customers are responsible for:
- Maintaining up-to-date contact details on their OBEL™ account so that incident notifications reach the right people
- Reporting suspected account compromises or unusual activity promptly to security@ninthlabs.ai
- Following their own incident response procedures for data processed through OBEL™
6. Governing Law
This policy is governed by the laws of New South Wales, Australia. Data breach obligations are as required by the Privacy Act 1988 (Cth) (Notifiable Data Breaches scheme). Government customers may have additional obligations under the Protective Security Policy Framework (PSPF) or the Information Security Manual (ISM).
7. Contact
Security incidents: security@ninthlabs.ai
General enquiries: hello@ninthlabs.ai
ninthLABS Ventures Pty Ltd, New South Wales, Australia