Scholar Current
Math and Physics Practice / Book Access / Teacher Tools
Scholar Current

Incident Response And Breach Notification Runbook

Effective date: June 8, 2026. This is an operational checklist for suspected security incidents involving student education records, personal data, account access, hosted infrastructure, or support workflows. It is not legal advice; notification decisions should be reviewed with counsel and the affected school/customer when required.

1. First 30 Minutes

Default posture: preserve evidence, stop further exposure, and avoid deleting logs. If the event could involve student records, personal data, credentials, payment information, or unauthorized admin access, treat it as a potential breach until triage says otherwise.
Triage Open an incident record

Record discovery time, reporter, affected system, suspected data type, visible symptoms, and who is handling the response.

Contain Stop active exposure

Disable compromised accounts, revoke sessions, rotate suspected secrets, suspend affected routes, or temporarily disable integrations as needed.

Preserve Freeze evidence

Save relevant audit logs, Render logs, Cloudflare events, database timestamps, GitHub deploy history, emails, screenshots, and support messages.

2. Incident Severity

Level Examples Immediate action
Low Bug report with no personal data exposure, failed login attempts with no compromise, non-sensitive availability issue. Record in issue queue, fix normally, retain notes if security-related.
Medium Potential overexposure of class roster metadata, suspicious teacher/admin access, accidental email to wrong recipient with limited data. Contain, review audit logs, notify internal owner, assess whether school/customer notification is needed.
High Unauthorized access to student records, account takeover, exposed credentials/session tokens, database leak, Cloudflare/Render/GitHub compromise. Contain immediately, preserve evidence, escalate to counsel/leadership, start notification timing review, prepare customer/school communications.
Critical Confirmed broad personal-data breach, active attacker, ransomware, public data dump, access to many student education records. Activate full response team, contact vendors/law enforcement if appropriate, prepare regulator/customer notices, and run continuous status updates.

3. Evidence Checklist

Application and API
  • Audit log entries around the affected user, class, assignment, or admin action.
  • Relevant issue reports and privacy/data requests.
  • Authentication events: login success/failure, session revocation, MFA/passkey events, password reset events.
  • API request logs from Render for affected routes and time windows.
Infrastructure and vendors
  • Render service logs, deploy history, database status, backup/restore events, and environment variable changes.
  • Cloudflare Access, Pages, DNS, WAF, cache, and Zero Trust policy events.
  • GitHub commits, deploy keys/tokens, branch changes, and workflow history.
  • Resend delivery logs for account, password, verification, issue, or notification emails.

4. Containment Playbook

  1. Revoke affected sessions using the account/session tools or database-backed session deletion.
  2. Force password reset or issue temporary credentials only through verified teacher/admin workflows.
  3. Disable or restrict affected admin/teacher/user access while investigating.
  4. Rotate API, database, email, Cloudflare, GitHub, or deployment secrets if compromise is plausible.
  5. Temporarily disable exposed routes, class join codes, assignment access codes, or section-builder publishing if involved.
  6. Preserve logs before cleanup. Do not delete evidence while a privacy, legal, school, or law-enforcement review is open.

5. Notification Decision Tree

Timing review: start the legal/customer notification clock at discovery, not after the investigation is perfect. If facts are incomplete, document what is known, what is unknown, and when each determination was made.
Student records School and FERPA coordination

If education records or student personally identifiable information may be involved, notify the responsible school/teacher contact promptly, support their inspection/amendment/disclosure obligations, and coordinate parent or eligible-student communication through the school when appropriate.

Personal data Regulator and individual review

Review applicable state, federal, contract, and international notification duties. GDPR Article 33 uses a 72-hour supervisory-authority benchmark when a notifiable personal-data breach is likely to create risk, while U.S. obligations vary by data type and state.

Vendors Vendor/customer duties

If a vendor system is involved, open a vendor support/security case. If Scholar Current stores personal information on behalf of a school or organization, notify that customer so they can assess their own obligations.

Law enforcement Criminal or identity-theft risk

If theft, extortion, credential compromise, identity-theft risk, or active intrusion is suspected, consider law-enforcement contact and preserve chain-of-custody notes.

6. Communication Templates

Internal status update

School/customer notice draft fields

7. Post-Incident Cleanup

  1. Confirm containment is complete and no unauthorized access remains.
  2. Patch root cause, add tests/monitoring, and review whether rate limits, authorization checks, or data minimization need tightening.
  3. Rotate all potentially exposed secrets and document which were rotated.
  4. Close the incident record only after notifications, customer follow-up, privacy requests, and audit-log preservation decisions are complete.
  5. Record lessons learned, owner, due date, and completion evidence for each follow-up task.

8. References For Review

These links are reference material for the runbook owner and counsel. Keep the operational page current when vendor contracts, school agreements, or applicable law changes.