Not legal advice.This page explains QuantaSeal's operational commitments under the Australian Notifiable Data Breaches (NDB) scheme. It does not constitute legal advice. If you are an APP entity with specific compliance obligations, consult a qualified privacy lawyer.
1. Overview
Australia's Notifiable Data Breaches (NDB) scheme (Part IIIC of the Privacy Act 1988 (Cth), as amended by the Privacy and Other Legislation Amendment Act 2024) requires APP entities to notify the Office of the Australian Information Commissioner (OAIC) and affected individuals when an eligible data breach occurs.
QuantaSeal Pty Ltd ("QuantaSeal") operates in two capacities that are relevant to the NDB scheme:
Data Controller
For personal information we hold about our own customers (name, email, billing address, usage data). QuantaSeal is directly an APP entity subject to NDB obligations.
Data Processor
For Customer Data that our customers submit to the platform for encryption and vault storage. We process this on behalf of customers who are themselves APP entities.
2. What Is an Eligible Data Breach?
Under s26WE of the Privacy Act 1988, an "eligible data breach" occurs when all three of the following conditions are met:
Unauthorised access or disclosure (or loss that is likely to result in such)
Personal information held by the APP entity is accessed by, or disclosed to, someone who is not authorised to access or receive it - or the information is lost in circumstances where such access or disclosure is likely.
Likely to result in serious harm
The access, disclosure or loss would be likely to result in serious harm to one or more of the individuals to whom the information relates. Factors include sensitivity of information, identity theft risk, financial harm, and reputational harm.
APP entity has not been able to prevent serious harm
The APP entity has not taken action that has prevented the likelihood of serious harm to affected individuals.
PQC Encryption Reduces Breach Severity
Customer Data stored in QuantaVault is protected by ML-KEM-768 + AES-256-GCM encryption. If encrypted ciphertext is accessed without authorisation, but the decryption keys have not been compromised, the risk of serious harm may be significantly reduced or eliminated - which can affect whether an eligible data breach has occurred. See Section 8 for full context.
3. QuantaSeal's Obligations
3.1 As a Direct APP Entity
QuantaSeal is an APP entity with annual turnover above the $3 million threshold (or meets another applicable threshold). We are directly subject to the NDB scheme for personal information we hold about our customers, including account information and usage data.
If we identify an eligible data breach involving our own customer data, we will:
- Notify the OAIC within 30 days of becoming aware that there are reasonable grounds to believe an eligible data breach has occurred.
- Notify affected individuals as soon as practicable, either directly (where practicable) or through a public notification.
- Contain the breach and take remediation steps as quickly as possible.
3.2 As a Data Processor for Customer APP Entities
When QuantaSeal processes Customer Data on behalf of a customer who is themselves an APP entity, our contractual obligations (per the DPA) require us to:
- Notify the customer of any suspected or confirmed security incident affecting Customer Data within 72 hours of our security team becoming aware of it - well within the 30-day OAIC notification window.
- Provide a written incident summary including: nature of the incident, data categories affected, estimated number of individuals affected, likely consequences, and remediation steps taken.
- Cooperate fully with the customer's own NDB investigation and provide access to audit logs and forensic evidence.
- Not notify affected individuals or the OAIC on behalf of the customer without the customer's explicit written instruction (except where required to do so by law).
4. Customer (APP Entity) Obligations
If you are a customer who is itself an APP entity (i.e., an Australian organisation with annual turnover above $3 million, or an agency, health service provider, etc.), you are responsible for your own NDB obligations with respect to the personal information you process through QuantaSeal.
| Your Obligation | Timeframe | QuantaSeal's Role |
|---|---|---|
| Assess whether an eligible data breach has occurred | As soon as practicable, within 30 days of suspicion | We provide incident details and audit evidence within 72 hours |
| Notify OAIC (Form NDB) | Within 30 days of reasonable grounds to believe eligible breach | We provide supporting documentation for your notification |
| Notify affected individuals | As soon as practicable after OAIC notification | We provide data category and scope details for your notice |
| Remediate and prevent recurrence | Ongoing | We implement technical fixes and provide a root cause analysis |
| Conduct a Privacy Impact Assessment (PIA) | If high risk | We support your PIA with technical architecture documentation |
Note: The 30-day assessment period under s26WJ runs from when the APP entity first suspects there may be an eligible data breach - not when it is confirmed. Begin your assessment process immediately upon receiving our 72-hour notification.
5. Our Incident Response Process
QuantaSeal maintains a documented Security Incident Response Plan aligned with the OAIC's NDB guidance. The key stages are:
- ›Automated anomaly detection triggers alert
- ›Security team triages the incident and assigns severity level
- ›Incident channel opened; affected systems isolated if necessary
- ›Affected systems isolated or credentials revoked
- ›Forensic snapshot taken (preserving evidence for OAIC)
- ›Preliminary scope assessment: which tenants and data categories may be affected
- ›Root cause analysis completed
- ›Data categories and individuals potentially affected identified
- ›Encryption status of affected data confirmed (PQC breach assessment - see Section 8)
- ›Legal counsel engaged to assess NDB eligibility
- ›Affected customers notified by email with full incident summary
- ›Audit log export provided to affected customers
- ›If QuantaSeal is the APP entity: OAIC NDB Form submitted within 30 days
- ›OAIC notified if QuantaSeal has reasonable grounds to believe eligible breach occurred
- ›Technical remediation implemented and tested
- ›Post-incident review conducted within 14 days
- ›Control improvements documented in security register
- ›Updated RCA provided to affected customers and OAIC if required
6. Notification Timelines
| Event | Who Notifies | Who Is Notified | Timeframe |
|---|---|---|---|
| Security incident detected affecting customer data | QuantaSeal → Customer | Affected customer(s) | Within 72 hours |
| Customer suspects eligible data breach involving their data processed by QuantaSeal | Customer (APP entity) → OAIC | OAIC + affected individuals | Within 30 days of suspicion (s26WJ) |
| QuantaSeal determines eligible breach of its own customer data | QuantaSeal → OAIC + affected individuals | OAIC + affected customers | Within 30 days of reasonable grounds |
| Serious interference with privacy (2024 Amendment) | QuantaSeal → OAIC | OAIC (may publish) | As soon as practicable |
7. What QuantaSeal Provides to Affected Customers
To support your own NDB assessment and notification obligations, QuantaSeal will provide the following within 72 hours of our incident confirmation:
Incident Summary Report
Written summary covering: nature of the incident, root cause (where identified), timeline of events, and immediate remediation steps.
Data Category Mapping
Identification of which data categories (e.g., personal information, sensitive information) were potentially accessed or disclosed.
Tenant Audit Log Export
Full SHA3-256-chained audit log export for your tenant covering the incident period, suitable for OAIC submission.
Encryption Status Confirmation
Confirmation of whether affected data was encrypted at rest (ML-KEM-768 + AES-256-GCM) and whether decryption keys were accessible at the time.
Scope Attestation
Written attestation of the number of your end-users whose data was potentially affected, to support your OAIC notification form (NDB Form).
Ongoing Cooperation
Point-of-contact security liaison for the duration of the incident. Available for OAIC inquiries or regulatory interviews on technical matters.
8. PQC Context: Encrypted Data & Breach Risk
A key consideration in NDB assessments is whether accessed data is "likely to result in serious harm" (s26WE). QuantaSeal's post-quantum encryption architecture is directly relevant to this assessment.
Encrypted Data - Reduced Serious Harm Risk
Customer Data stored in QuantaVault is encrypted with ML-KEM-768 + AES-256-GCM (NIST FIPS 203). If ciphertext is accessed without authorisation but the associated decryption keys (AWS KMS CMKs) have notbeen compromised, the OAIC's guidance indicates the serious harm threshold may not be met - because the data is not intelligible to an unauthorised person.
QuantaSeal will provide a specific Encryption Status Confirmation for each incident identifying whether keys were compromised. Where keys were not compromised, this confirmation can support your assessment that an eligible data breach has not occurred.
Account Metadata - Standard Breach Risk
Account-level information (email addresses, tenant names, usage metadata) held by QuantaSeal is not encrypted under PQC vault encryption - it is protected by standard TLS and bcrypt password hashing, as are most SaaS platforms. If this information is accessed, standard NDB assessment applies without the PQC encrypted-data exception.
Harvest-Now-Decrypt-Later (HNDL) Threats
The HNDL threat model involves an adversary capturing encrypted ciphertext today for decryption once a cryptographically relevant quantum computer (CRQC) exists. ML-KEM-768 is designed to resist CRQC attacks (NIST FIPS 203 Level 3). An HNDL acquisition of QuantaSeal ciphertext does not constitute a current eligible data breach - though it would represent a long-term risk under classical encryption.
9. Contact
OAIC: To make a complaint about an eligible data breach, or to lodge an NDB report on your own behalf, visit the Office of the Australian Information Commissioner (oaic.gov.au).