Business Continuity, Disaster Recovery & Incident Response

Continuity & recovery

Backups: automated daily full backups of production on GCP; source repositories every 6h; replicated to a geographically separate EU GCP region; AES-256 encrypted; backups contain no personal/sensitive data; restoration tested quarterly; backup-failure alerts to the Security Officer.
Disaster Recovery Plan tested semi-annually (tabletop and technical restore in an alternate cloud region). Reconstitution goal: full operations within 24 hours.
Business Continuity Plan maintained by the Security Officer and Privacy Officer; recovery led by the Technology Director.

Internal reporting within 24h of discovery; preliminary investigation within 48h.
Severity SLAs: Sev1 Critical 1h (escalate to executive management, DPO, and legal); Sev2 High 4h; Sev3 Medium 24h; Sev4 Low 72h.
Five-phase lifecycle: identification, containment, eradication, recovery, post-incident review. Plan tested annually.