Backup Policy
This is a Controlled Document
In line with Vaxa's governance framework, changes to controlled documents must be approved or merged by a code owner. All contributions are welcome and encouraged.| Version | Effective | Reviewed | Next review due |
|---|---|---|---|
| 1.0.0 | 2024-04-02 | 2024-04-02 | 2025-04-02 |
Purpose
The purpose of this Backup Policy is to protect the confidentiality, integrity, and availability of data for both Vaxa and its customers. Complete backups are performed at regular intervals to ensure that data remains available when needed and in the event of a disaster.
Scope
This policy applies to all data and information systems owned, operated, or managed by Vaxa, including customer data, internal data, and all supporting infrastructure and systems.
Roles & Responsibilities
| Role | Responsibility |
|---|---|
| IT Department | Implement and maintain backup systems and processes. Monitor backups and address any malfunctions promptly. |
| Security Officer | Oversee backup policy compliance and respond to backup failures or incidents. |
| Employees | Ensure business data is stored in company-controlled repositories and follow data classification procedures. |
| Management | Ensure data retention periods comply with regulatory and contractual requirements. |
Policy Statement
Data classification:
- Data should be classified at the time of creation or acquisition according to the Data Classification Policy.
- An up-to-date inventory and data flow map of all critical data shall be maintained.
Data storage:
- All business data, including data on end-user computing systems, shall be stored or replicated into a company-controlled repository.
Backup scope and frequency:
- Data shall be backed up according to its classification level as defined in the Data Classification Policy.
- Complete backups are performed at scheduled intervals appropriate to the data’s criticality.
Data retention:
- Data retention periods shall be defined and comply with all applicable regulatory and contractual requirements. This is detailed in our Data Retention Policy.
- Data and records belonging to Vaxa customers shall be retained our product terms and conditions and/or specific contractual agreements.
- By default, all security documentation and audit trails are kept for a minimum of seven years, unless otherwise specified.
- Data retention periods shall be defined and comply with all applicable regulatory and contractual requirements. This is detailed in our Data Retention Policy.
System documentation:
- System documentation, including security and privacy-related documents, shall be backed up regularly.
Monitoring and safeguards:
- The data backup process shall be monitored using technical and organisational safeguards.
- Malfunctions shall be addressed promptly by qualified employees to ensure compliance with retention scope, frequency, and duration.
Use of removable media:
- Removable or external hard drives (e.g., USB sticks) used for data backups shall remain disconnected from computers outside of active backup sessions.
Backup and Recovery Procedures
Customer Data & Systems
Vaxa’s customer data is stored in production accounts across numerous providers, depending on the nature of our engagement with the customer. In any case, Vaxa performs automatic backups to protect against catastrophic loss.
If you are a Vaxa customer, please ask us which of the below applies to your data.
Google Cloud Platform:
- Data is stored in BigQuery databases and Cloud Storage buckets.
- Google Cloud provides durable infrastructure designed for 99.999999999% object durability.
- Versioning is enabled on all mission-critical data storage for both customer and Vaxa infrastructure.
Microsoft 365:
- Data is backed up using the Afi.ai SaaS service.
- Backups are immutable and encrypted in transit (TLS 1.3) and at rest (AES 256-bit).
- Backups are stored in the Google Cloud Platform australia-southeast1 (Sydney) region.
Vaxa workstations:
- Windows and Mac workstations are configured via MDM to redirect known folders to Microsoft OneDrive, providing backup for common folders.
- OneDrive contents are backed up per the Microsoft 365 backup procedures.
- Workstations are considered ephemeral and are not backed up as all relevant data is stored in cloud services.
Source code:
- All source code is stored in Git repositories on GitHub.
- GitHub’s data replication and backup strategy, along with local copies on developer machines, provide sufficient protection against data loss and for this reason, no additional backups are performed on this.
General Backup Procedures
Automatic backups:
- Vaxa performs automatic backups of all customer and system data to protect against catastrophic loss due to unforeseen events.
- An automated process backs up all data to a separate region within the country (e.g. Australia-southeast1 to Australia-west1)
Backup frequency and encryption:
- Data is backed up at intervals appropriate to its criticality level according to the Data Classification Policy.
- Backups are encrypted in the same manner as live production data.
Monitoring and alerts:
- Backup processes are monitored by an appropriate monitoring system.
- Backup failures trigger an incident response, alerting the Security Officer immediately.
Exceptions
Any exceptions to this policy must be documented and approved by the Security Officer and relevant management. Exceptions will be tracked and reviewed periodically to determine if they are still required.
Compliance & Monitoring
Compliance:
- Regular audits will be conducted to ensure adherence to this Backup Policy.
- Compliance with applicable laws, regulations, and contractual obligations will be maintained.
Monitoring:
- The IT Department will monitor backup processes and address any issues promptly.
- Backup logs and reports will be reviewed regularly for anomalies or failures.
Reporting:
- Any incidents or failures in the backup process must be reported to the Security Officer immediately.
- Compliance findings will be reported to senior management.