Schedule A Demo

Backup and Recovery Policy

1. Policy Overview

This policy describes EDMO’s approach to data backup, retention, and recovery using Google Cloud Platform (GCP), incorporating requirements for SOC 2 compliance. Its goal is to protect critical data, ensure business continuity, and maintain high security and compliance standards for all EDMO-managed resources.

2. Scope and Purpose

  • Scope:
    Applies to all EDMO-managed GCP systems, applications, and data.
  • Purpose:
    • Guarantee safe, recoverable copies of all critical and regulated data.
    • Fulfill legal, contractual, and security obligations, including SOC 2 Trust Services Criteria.

3. Definitions

Term

Definition

Backup

Secure, restorable copy of data, created per policy for contingency needs.

RPO

Maximum allowed data loss interval (Recovery Point Objective).

RTO

Maximum time to restore data (Recovery Time Objective).

Immutable Copy

Backup version that cannot be changed/deleted during defined retention.

Offsite Backup

Backup in a geographically separate GCP region or platform.

SOC 2

A compliance framework requiring documented, auditable internal controls.

4. Roles and Responsibilities

Role

Responsibilities

IT Manager

Owns, maintains, and reviews the policy; approves documented procedures.

Backup Administrator

Implements backups, monitors compliance, and maintains evidence for SOC 2.

Security Team

Enforces access controls, encryption, and participates in audits and testing.

System Owners

Identify critical data, define retention, and collaborate on compliance needs.

All Employees

Follow backup processes and report any data security issues promptly.

5. Backup Strategy

5.1. 3-2-1-1-0 Framework (SOC 2 Compliant)

  • Three copies: Production data plus two backup copies.
  • Two storage types: GCP standard multi-region and immutable Backup Vault.
  • One offsite copy: Backup replicated to a distinct region.
  • One immutable copy: Retained in GCP Backup Vault with tamper-proof retention controls.

Zero errors: Integrity verification and error reporting for all backups.

SOC 2 Alignment:
All controls are documented, with evidence kept for audit, including backup schedules, test logs, and access reviews.

5.2. Backup Frequency and Types

  • Critical/regulated data: Hourly incremental, daily full backups.
  • Operational data: Daily incremental, weekly full backups.
  • Types: Full, incremental, differential; choice documented with rationale.

5.3. Retention and Purging

  • Critical/regulated data: Retained no less than 1 year or per compliance contract.
  • All retention periods and purging schedules are clearly documented and matched to SOC 2 and regulatory requirements.
  • Automated purging: Expired backups securely and permanently deleted, with logs maintained for inspection.

5.4. Security and Access Control

  • Encryption: At rest and in transit (AES-256 minimum).
  • Access: Role-based (IAM), least privilege, enforced multi-factor authentication for privileged accounts.
  • Audit logging: All backup and restore actions are logged and reviewed monthly.
  • SOC 2 Controls:
    • Access reviews performed quarterly.
    • All exceptions or access changes are documented and justified.

5.5. Testing, Monitoring, and Documentation

  • Quarterly restore drills and integrity checks for all backup sets, with detailed records.
  • Backup job success/failure reports monitored; failed jobs escalated immediately.
  • Backups and recovery procedures are fully documented and updated after any significant change, per SOC 2 requirements.

6. Data Classification and Retention

Category

Example Data

Guidelines

Regulated

Student, financial, sensitive

Highest frequency and longest retention, full SOC 2 audit traceability

Critical

Applications, AI models

High protection and restoration priority

Important

Logs, ops data

Appropriate frequency and retention

Archival

Historical/analytics

Longer-term, compliant storage

7. Incident Response

  • Any backup failure, suspected loss, or breach must be immediately reported to the IT Manager and Security Team.
  • Investigation must be logged, with root cause analysis and corrective action documented per SOC 2 requirements.

8. Policy Review and Compliance

  • Annual formal policy review and after major infra or compliance change.
  • All control evidence (logs, reports, tests, access reviews) kept for at least one SOC 2 audit cycle.
  • EDMO’s policy is reviewed and approved by the IT Manager and security/compliance team, with version control and documented change history.

9. Supplementary Measures

  • Automation: All backup, monitoring, and reporting procedures are automated where possible.
  • Staff Training: Employees involved in backup operations receive annual training in SOC 2 and security procedures.
  • Continuous Improvement: Results from drills, incidents, and audits are used to continuously improve backup and recovery controls.

10. Policy Summary Table

Benchmark

EDMO Implementation (SOC 2)

Redundancy 3-2-1-1-0

Achieved via multi-region, immutable vault, and offsite replication

SOC 2 control evidence

All major activities logged, tested, and reviewed

Security/access

IAM, MFA, encryption, access reviews, audit log retention

Retention/deletion

Explicit policy with evidence, automated reporting

Testing & drills

Quarterly, auditable, with results used for process improvement

Annual policy review

Documented, with SOC 2 alignment and management approval

Incident handling

Immediate escalation, documentation, and corrective action

This policy ensures EDMO’s data is not only resilient and secure but also demonstrably compliant with SOC 2.