xcPEP Business Continuity and Disaster Recovery Policy

xcPEP Business Continuity and Disaster Recovery (BCDR) Policy

 

1. Purpose and Scope

This Business Continuity and Disaster Recovery (BCDR) Policy outlines Advanced Structures India Private Limited's strategy to ensure the continuous availability of the xcPEP SaaS platform and the rapid recovery of critical business operations in the event of a major disruption or disaster. The policy covers all critical services, infrastructure, and associated processes.

2. Definitions

  • Disaster: A sudden, unplanned event causing widespread damage or destruction, significantly disrupting normal operations.
  • Business Continuity (BC): The ability of an organization to continue critical business functions during and after a disaster.
  • Disaster Recovery (DR): The process of resuming normal business operations after a disaster.
  • Recovery Time Objective (RTO): The maximum tolerable duration of time that a computer system, network, or application can be down after a failure or disaster.
  • Recovery Point Objective (RPO): The maximum tolerable amount of data that can be lost from an IT service due to a major incident.

3. Roles and Responsibilities

  • BCDR Committee: A cross-functional committee responsible for overseeing the BCDR program.
  • Incident Response Team (IRT): Responsible for executing the DR plan during an incident.
  • Departmental Leads: Responsible for implementing continuity plans for their respective business functions.

4. Business Impact Analysis (BIA)

A comprehensive Business Impact Analysis (BIA) is conducted regularly to:

  • Identify critical business functions and supporting IT systems of xcPEP.
  • Assess the potential impact of disruptions on these functions.
  • Determine the RTOs and RPOs for each critical function, prioritizing recovery efforts.

5. Disaster Recovery Strategy (AWS-based)

  • Primary DR Site: Our disaster recovery strategy leverages AWS's global infrastructure. Our primary production environment typically operates in a primary AWS region (e.g., ap-south-1 - Mumbai).
  • Secondary DR Site: For critical services, we utilize cross-region replication and multi-AZ (Availability Zone) deployments within AWS to establish a secondary disaster recovery site in a separate AWS region (e.g., ap-southeast-1 - Singapore or another geographically distinct region) or across multiple Availability Zones within the same region.
  • Data Replication: Continuous data replication (e.g., using AWS RDS Multi-AZ, S3 Cross-Region Replication, or equivalent technologies) ensures minimal data loss (low RPO).
  • Failover Procedures: Detailed, documented procedures are maintained for initiating failover to the DR site, covering databases, application instances, networking, and other critical components. Automated failover mechanisms are implemented where possible.
  • Fallback Procedures: Procedures for safely returning operations to the primary site after recovery.
  • Recovery of Specific Components: Comprehensive plans exist for the recovery of all critical components, including databases, application servers, network configurations, and storage.

6. Business Continuity Plan

Our Business Continuity Plan addresses:

  • Communication Plan: Internal and external communication protocols during a disaster, including notification to customers about service status and recovery progress.
  • Workforce Preparedness: Procedures for remote work capabilities and alternative work locations for employees.
  • Supplier Management: Contingency plans for critical third-party service providers.
  • Essential Operations: Strategies to maintain essential business operations while core IT services are being restored.

7. Testing and Exercising

  • Frequency: BCDR plans and procedures are regularly tested at least annually through comprehensive disaster recovery drills and tabletop exercises.
  • Types of Tests: Tests include simulated failovers, data restoration drills, and communication exercises.
  • Review and Improvement: Results from testing are meticulously reviewed, and lessons learned are incorporated into plan updates to ensure continuous improvement.

8. Policy Review and Updates

This BCDR Policy is reviewed and updated at least annually, or more frequently in response to changes in our infrastructure, business operations, or identified risks.