Internal Documentation

Backup Policy

Purpose

This policy outlines the backup procedures for critical data assets to ensure data integrity, availability, and recoverability in compliance with SOC2 requirements.

Scope

This policy applies to all data assets critical to the organization’s operations, including:

  1. Code repositories
  2. Customer files
  3. Building Knowledgebase Database
  4. Application Database

Asset-Specific Backup Procedures

Code Repositories

  • Storage: GitHub
  • Backup Procedure: Distributed version control through Git
  • Retention: Full version history maintained in GitHub
  • Recovery Process: Clone or pull from GitHub repository

Customer Files

  • Storage: Amazon S3
  • Backup Procedure: Relies on S3’s built-in redundancy
  • Retention: Follows S3 standard retention policies
  • Recovery Process: Access files directly from S3

Building Knowledgebase Database

  • Storage:
    • Snapshots stored in Amazon S3
    • Running instances hosted on Fly
  • Backup Procedure: Versioned snapshots stored in S3
  • Retention: Follows S3 standard retention policies
  • Recovery Process: Restore from S3 snapshot to Fly hosting using data pipeline tooling

Application Database

  • Storage: Hosted on Fly
  • Backup Procedure: Daily automated snapshots by Fly
  • Retention: Retain daily snapshots for 30 days
  • Recovery Process: Restore from Fly snapshot

Backup Verification and Testing

  1. Annual backup restoration tests shall be conducted for each asset to ensure recoverability.
  2. Results of backup tests shall be documented and reviewed by the IT team.

Responsibilities

The IT team is responsible for:

  • Monitoring the execution of automated backups
  • Conducting and documenting backup verification tests
  • Ensuring proper retention of backups
  • Managing access controls to backup systems
  • Reviewing backup policies and procedures annually
  • Ensuring compliance with SOC2 requirements

Incident Response

In the event of data loss or corruption:

  • Immediately notify the IT team
  • Initiate data recovery procedures as outlined for each asset
  • Document the incident and recovery process
  • Conduct a post-incident review to prevent future occurrences

Policy Review

  • This policy shall be reviewed annually and updated as necessary to reflect changes in technology, business processes, or regulatory requirements.

Visibility

This document is confidential and is a proprietary work product of Cadence OneFive. The information contained herein may not be copied or distributed without the specific written consent of Cadence OneFive.