Appendix C: Backup Schedules & Locations

Aligned with NIST SP 800-34r1 (Contingency Planning) and SP 800-171/53 (CP Family). This ensures you maintain resilience, meet FCA compliance expectations, and support timely recovery.

Purpose:

To maintain an up-to-date log of backup schedules, storage locations, and retention policies for Xcavate's critical systems and data assets. This supports effective disaster recovery, RTO/RPO targets, and regulatory oversight.

Backup Register Template:

Asset ID

System / Data Asset

Backup Type

Frequency

Retention Period

Backup Location (Primary)

Backup Location (Secondary)

Encryption

Tested Last

Backup Method

Comments

AS-001

IAM Platform (JumpCloud)

Config + Audit Logs

Daily

90 Days

AWS S3 (Encrypted)

Azure Blob (Geo-Redundant)

AES-256

15-May-2025

API-driven Export Script

Automated validation job enabled

AS-002

Firewall Configurations

System Config Snapshot

Weekly

180 Days

Internal NAS

CloudVault UK (Cold Storage)

AES-128

05-May-2025

CLI Backup Utility

Reviewed quarterly

AS-003

CRM (Customer Records)

Full DB Backup

Daily

30 Days

Vendor Cloud (EU Hosted)

Local Mirror (Encrypted Disk)

Vendor-native

02-Jun-2025

Vendor Scheduled

DR test completed April 2025

AS-004

GitHub Repository

Codebase Archive

Daily

60 Days

AWS S3 (Versioning Enabled)

On-prem NAS (Encrypted)

AES-256

29-May-2025

GitHub Actions / Cron

Manual trigger available

AS-005

Financial Reports

Encrypted Document Set

Monthly

7 Years

GDrive (Zero-Knowledge Encr.)

Offline HDD (Vaulted)

GPG Encrypted

20-Apr-2025

Automated + Manual

Required by financial regulators

AS-006

HR System (BambooHR)

HRIS Data Export

Weekly

12 Months

BambooHR Cloud

Internal Vault (Encrypted SFTP)

TLS/Encrypted

01-Jun-2025

Vendor Push + SFTP Pull

HR to validate backup integrity

Security Considerations

  • All backups are encrypted at rest and in transit.

  • Access is restricted based on least privilege (aligned with IAM policy).

  • Locations are geographically redundant where applicable.

  • Integrity checks and automated test restores are scheduled monthly for critical assets.

Notes:

  • All systems classified as Tier 1 (Mission Critical) must have daily backups and quarterly DR test results.

  • Backup locations must meet FCA and GDPR data residency and security requirements.

  • Any offsite backups must have a signed third-party DPA (Data Processing Agreement).

PreviousAppendix B: Asset Configuration DocumentationNextAppendix D: DR Site Map & Network Diagrams

Last updated