xcPEP Backup and Recovery Policy

xcPEP Backup and Recovery Policy

 

1. Purpose and Scope

This Backup and Recovery Policy outlines Advanced Structures India Private Limited's procedures for creating, storing, and recovering customer data within the xcPEP SaaS platform. The policy aims to ensure data availability, integrity, and recoverability in the event of data loss due to unforeseen circumstances, human error, or system failures.

2. Data Classification

All data processed by xcPEP is classified based on its criticality and sensitivity. This classification determines the appropriate backup frequency, retention period, and recovery priorities.

3. Backup Strategy

  • Frequency:
    • Full Backups: Performed weekly for all critical databases and file systems.
    • Incremental Backups: Performed daily for databases and frequently changing data.
  • Location: Backups are stored securely on AWS S3 (Amazon Simple Storage Service) and other appropriate AWS storage services, designed for high durability and availability. Offsite copies of backup may be stored by Advanced Structures India at secure on premises locations.
  • Redundancy: Critical backups are replicated across multiple Availability Zones or AWS regions to ensure geographical redundancy and resilience against regional outages.
  • Retention Periods:
    • Daily backups: Retained for 7 days.
    • Weekly backups: Retained for 4 weeks.
    • Monthly backups: Retained for 12 months.
    • Long-term archival may be configured based on compliance or specific customer requirements.
  • Encryption: All backups are encrypted at rest using strong encryption algorithms and AWS Key Management Service (KMS) to protect data confidentiality.
  • Integrity Checks: Regular integrity checks are performed on backup sets to ensure their recoverability. Test restores are conducted periodically.

4. Recovery Strategy

  • Recovery Point Objective (RPO): Our objective is to limit potential data loss to a maximum of 15 minutes of data, reflecting our continuous backup and replication strategy.
  • Recovery Time Objective (RTO): Our objective is to restore critical service functionalities within 2 hours following a major incident impacting data availability.
  • Recovery Procedures: Detailed, documented procedures are maintained for restoring data from backups, including specific steps for databases, application configurations, and file systems.
  • Testing: Backup and recovery procedures are regularly tested at least quarterly to ensure their effectiveness and efficiency. Test results are documented and reviewed.

5. Types of Backups

  • Database Backups: Snapshots and logical backups of all production databases.
  • Application Code and Configuration Backups: Version-controlled repositories and snapshots of application configurations.
  • File System/Object Storage Backups: Backups of all customer-uploaded files and system-generated data stored in object storage.

6. Responsibilities

  • The Operations and Infrastructure teams are responsible for the execution, monitoring, and verification of backup operations.
  • The Incident Response Team is responsible for initiating and overseeing recovery procedures in the event of a disaster.

7. Documentation

All backup schedules, retention periods, and recovery procedures are thoroughly documented and regularly updated. Backup logs are maintained for audit purposes.

8. Policy Review and Updates

This policy is reviewed annually and updated as necessary to reflect changes in technology, operational requirements, and regulatory standards.