Help Center / Notification letters
Notification letters
Generate jurisdiction-correct breach-notification letters that prefill from your incident, flag any missing required statutory fields, and export as text or PDF.
The nine letter templates
| Template | For |
|---|---|
| Notice to Affected Individuals | The consumer / patient notice letter. |
| Notice to State Attorney General | State AG / agency notice. |
| HHS OCR Breach Report Summary | HIPAA report summary to HHS Office for Civil Rights. |
| DFARS / DIBNet Cyber Incident Report Summary | The DoD rapid-report package summary. |
| GDPR Art. 33 — Supervisory Authority Notification | The EU DPA notification. |
| Media Notice (HIPAA 500+ in a jurisdiction) | Prominent-media notice when 500+ residents of one state are affected. |
| PIPEDA — OPC Breach Report (Canada) | Report to the Office of the Privacy Commissioner of Canada. |
| Québec Law 25 — CAI Confidentiality-Incident Notice (Canada) | Notice to the Commission d'accès à l'information. |
| Substitute Notice — Website Posting | Used when direct notice is infeasible / a substitute-notice threshold is met. |
Generating a letter
- Open the Letters tab.
- Pick a Template from the dropdown. If you have an incident open, a note shows it is prefilling from that incident.
- The left panel lists every merge field in the template. Required fields are marked with a red asterisk (*).
- Fill in the fields. The Preview on the right updates live as you type.
- When the required fields are filled, export the letter (below).
Prefill from the incident
If an incident is open, the letter auto-fills what it can from the incident facts so you're not retyping:
| Field | Prefilled from |
|---|---|
| Incident date / Discovery date | The incident's Discovered at (date portion). |
| Total affected | The summed per-state affected count. |
| Data types | The data-type checkboxes you set on the incident. |
| Date | Today's date. |
You always edit anything before exporting — prefill is a starting point, not a lock.
The missing-required-field guard
Each template declares which fields are statutorily required. If any are still blank, a red banner at the top of the preview lists them: "Missing required: ORG_NAME, …". Unfilled merge tokens also remain visible in the preview as [[FIELD]] so you can spot them. Fill the listed fields and the banner clears.
The guard checks that required fields are present — it does not and cannot judge whether your wording satisfies a regulator. That's a job for counsel.
Substitute-notice & credit-monitoring clauses
- When the engine determines a state's substitute-notice threshold is met (see the helpers), the Substitute Notice template and package are the right path instead of direct mail.
- When credit monitoring is required (SSN / financial / payment data plus residents in a mandating state), a ready-to-merge clause offering complimentary credit monitoring / identity protection is available for the individual and substitute letters.
Exporting (.txt / print-to-PDF)
| Button | Result |
|---|---|
| Download .txt | Saves the rendered letter as a plain-text file you can drop into your own letterhead / mail-merge. |
| Print / PDF | Opens a clean print view; use your browser's "Save as PDF" to produce a PDF. |
Filing-quality DOCX rendering is not currently produced — Klaxon generates the .txt / print-PDF package and a submission worksheet. See the FAQ on DOCX.
Optional AI narrative drafter
If — and only if — you have enabled the bring-your-own-key AI copilot (off by default), the Letters view offers to AI-draft the narrative field of a letter (the SUMMARY / ACTIONS / DESCRIPTION-type prose). Crucial guarantees:
- The legal scaffolding — deadlines, who to notify, and the required statutory elements — always comes from the rules engine and is passed to the model as fixed scaffolding it may not change.
- The model only writes the narrative prose; a banner reminds you "legal scaffolding verified by Klaxon's rules engine; narrative AI-assisted — review before sending."
- A data-minimization scrubber blocks / redacts likely PII / PHI before any prompt leaves your machine, and the call goes directly from your browser to your chosen provider — never through any DosanjhLabs server.
If you have not enabled AI, a small tip points you to the AI Copilot tab; nothing AI-related runs otherwise.
Filing the letter (DIBNet / HHS)
The federal portals (DoD DIBNet, HHS OCR) have no submission API by design. Klaxon generates the letter and a submission worksheet; you file through the official portal yourself, then record the confirmation. After filing, return to the incident and Mark filed on that obligation, and log it in the communications log.
- HHS OCR: file at ocrportal.hhs.gov (500+ within 60 days; under-500 via the annual log).
- DoD DIBNet: file at dibnet.dod.mil within 72 hours — requires a medium-assurance ECA certificate.