Data Backup & Recovery Policy (Summary)
This policy provides a high-level overview of how we back up and recover data, in line with our obligations under the Digital Personal Data Protection Act, 2023 (DPDPA), the DPDP Rules 2025, and other applicable laws on security, availability, and data retention.
1. Purpose & Scope
We maintain backups and recovery mechanisms to:
- ensure continuity and availability of our SaaS services;
- protect against accidental or malicious data loss or corruption;
- support incident response and, where appropriate, forensic investigations;
- meet legal, regulatory, and contractual retention requirements.
This policy covers:
- production databases and file storage used by our services;
- configuration data and infrastructure-as-code required to rebuild environments;
- selected application and security logs that may include personal data.
2. Backup Strategy
2.1 Daily backups
- We take full backups once every day for production databases and other critical data sets.
- Backup frequency and scope are defined based on our Recovery Point Objectives (RPOs) and Recovery Time Objectives (RTOs).
- Additional application-level exports may be created where specific business or compliance needs require them.
2.2 Data replication
- Production data is replicated within the same server location / region to improve availability and resilience against local hardware or software failures.
- Replication is near real-time or periodic, depending on the system.
- Replication respects our data residency and localisation commitments, ensuring data remains in permitted regions.
2.3 Retention of backups
- Backup copies are retained for 30 days by default.
- Where required by law, regulation, or specific customer contract, certain data or logs may be retained for longer in separate systems or archives.
- After the retention period, backups are securely deleted, aged out, or overwritten so that data cannot be reasonably reconstructed.
2.4 Security of backups
- All backup data is encrypted at rest and in transit using industry-standard encryption.
- Access to backup systems and repositories is restricted to authorised personnel, enforced by least-privilege access controls and logged for audit purposes.
- Backup infrastructure is included in our overall information security, monitoring, and incident response processes.
3. Restoration & Testing
We maintain documented runbooks describing how to restore critical services and data from backups, including validation steps and escalation paths.
We perform periodic restore tests (typically in non-production environments) to verify:
- that backups are complete and usable;
- that we can meet defined RTO and RPO targets;
- that relevant teams are familiar with recovery procedures.
4. Alignment with Data Principal Rights
We design our backup and recovery processes to respect Data Principal rights under the DPDPA:
When a Data Principal exercises access, correction, or erasure rights, changes are applied in active/live systems.
Once personal data is deleted or anonymised in live systems, it is not reintroduced from backups into production environments, except where strictly necessary for disaster recovery and in accordance with legal obligations.
Backups may still contain historical copies of personal data until they age out and are deleted at the end of the 30-day retention period (or any longer period required by law). Access to such backup data is limited to:
- disaster recovery and business continuity; and
- legal, regulatory, or audit purposes.
