1. Backup scope
Cloudryption's backup programme covers:
- Databases containing tenant, environment, scan, graph snapshot, finding, attack path, recommendation, audit, and account metadata
- Object storage used for exports, reports, evidence artefacts, and backups
- Configuration and infrastructure-as-code, deployment manifests, and operational documentation required to rebuild the platform
- Secrets metadata and key references (not raw key material) needed for recovery
- Logs required for incident response and auditability, subject to the Data Retention Policy
2. Backup security
- Backups are encrypted at rest using cloud KMS-backed encryption
- Backup access controls are separate from general application roles and restricted to authorised operational and security personnel
- Backup access is logged and reviewed
- Restoration procedures are designed to avoid reintroducing compromised secrets, vulnerable configuration, or deleted Customer Data where deletion obligations apply
3. Recovery targets
| Tier | RPO (Recovery Point Objective) | RTO (Recovery Time Objective) | Notes |
|---|---|---|---|
| Initial GA | Up to 24 hours | Up to 48 hours | Applies to core production database data unless a stronger SLA is negotiated |
| Enterprise roadmap | 4 hours or less | 24 hours or less | Targeted once automated restore testing, multi-zone deployment, and operational coverage are proven |
These targets apply to the Cloudryption platform itself. Customer-specific SLAs with stronger commitments are available for enterprise agreements after operational confidence is established.
4. Restore testing
Cloudryption performs restore testing to validate that backups are usable and recovery procedures work as intended:
- Before enterprise GA: at least one full restore test for critical production databases
- Quarterly: restore testing for production-critical databases
- Annually: full disaster recovery scenario simulation
Each restore test is recorded with:
- Test date and environment
- Dataset and backup source
- Responsible person
- Elapsed time and recovery point achieved
- Validation checks performed
- Issues discovered and corrective actions taken
Restore test evidence is maintained for SOC 2 readiness and enterprise security review.
5. Customer impact and exclusions
Cloudryption's backup and DR controls protect the Cloudryption platform. Customers remain responsible for backing up their own cloud accounts, workloads, data stores, repositories, and identity provider configurations.
Historical scan data, reports, and trends may be limited by:
- The customer's retention configuration (see Data Retention Policy)
- The recovery point achieved in the event of a platform incident
6. Backup / DR control matrix
| Control | GA requirement |
|---|---|
| Encrypted production backups | Required before broad enterprise GA |
| Documented restore runbook | Required before broad enterprise GA |
| Restore test evidence | Required before broad enterprise GA and SOC 2 readiness |
| Defined RPO / RTO | Required in security packet and any SLA |
| DR tabletop | Recommended before first enterprise customer; required for SOC 2 maturity |
7. Contact
For questions about this policy or backup / DR commitments for your enterprise agreement, contact: support@cloudryption.com