Business Continuity and Disaster Recovery Plan

Policy Owner: Daniel Peixoto
Effective Date: Nov 9, 2024

Purpose

The purpose of this business continuity plan is to prepare Straloo Tecnologia LTDA in the event of service outages caused by factors beyond our control (e.g., natural disasters, man-made events), and to restore services to the widest extent possible in a minimum time frame.

Scope

All Straloo Tecnologia LTDA IT systems that are business critical.

This policy applies to all employees of Straloo Tecnologia LTDA and to all relevant external parties, including but not limited to Straloo Tecnologia LTDA consultants and contractors.

In the event of a loss of availability of a hosting service provider, the CTO will determine an appropriate response strategy.

General requirements

In the event of a major disruption to production services and a disaster affecting the availability and/or security of the Straloo Tecnologia LTDA office, senior managers and executive staff shall determine mitigation actions. A disaster recovery test, including a test of backup restoration processes, shall be performed on an annual basis.

Alternate work facilities

If the Straloo Tecnologia LTDA office becomes unavailable due to a disaster, all staff shall work remotely from their homes or any safe location.

Communications and escalation

Executive staff and senior managers should be notified of any disaster affecting Straloo Tecnologia LTDA facilities or operations.

Communications shall take place over approved channels such as Slack, email and phone.

Roles and responsibilities

Role	Responsibility
IT Manager	The IT Manager shall lead BC/DR efforts to mitigate losses and recover the corporate network and information systems.
Managers	Managers shall be responsible for communicating with their direct reports and providing any needed assistance for staff to continue working from alternative locations.

Continuity of critical services

Procedures for maintaining continuity of critical services in a disaster can be found in Appendix A. Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) can be found in Appendix B.

Strategy for maintaining continuity of services:

Key business process	Continuity strategy
Customer (Production) Service Delivery	Rely on GCP availability commitments and SLAs
Email	Utilize Gmail and its distributed nature, rely on Google's standard service level agreements.
Finance, Legal and HR	All systems are vendor-hosted SaaS applications.
Sales and Marketing	All systems are vendor-hosted SaaS applications.

Plan activation

This BC/DR plan shall be automatically activated in the event of the loss or unavailability of the Straloo Tecnologia LTDA office, or a natural disaster (i.e., severe weather, regional power outage, earthquake) affecting the larger Fortaleza/CE region.

Version history

Version	Date	Description	Author	Approver
1.0	Nov 9, 2024	Version 1.0	Daniel Peixoto	Daniel Peixoto

Appendix A — Business continuity procedures by scenario

HQ Offline (power and/or network)

CRM, Telephony, Video Conferencing/Screen Share & Corp Email unaffected
SUPPORT unaffected
HQ Staff offline (30–60 minutes)
Remote Staff unaffected

Procedure:

HQ Staff relocate to home offices (30–60 minutes)
Verify Telephony, CRM, & Email Connectivity at home offices (10 minutes)
Remotely resume normal operations

Disaster Event at HQ

CRM, Telephony, Video Conferencing/Screen Share & Corp Email unaffected
SUPPORT offline
HQ Staff offline (variable impact)
Remote Staff unaffected

Procedure:

Activate Remote Staff
Notify Customer Base of impaired functions & potential delays
Commandeer Field Resources for Critical Response

SaaS Tools Down

CRM, Telephony, Video Conferencing/Screen Share, or Corp Email Affected
SUPPORT partially affected (no new cases, manual triage required)
HQ Staff unaffected
Remote Staff unaffected

Procedure — Telephony Down:

Notify Customer Base to use Support Portal or Email
Support Staff use Mobile Phones and/or Land Lines as needed

Procedure — Email Down (Gmail/Corp Email):

Support Staff manually manage 'case' related communications
Support Staff use alternate email accounts as needed (Hotmail)

Procedure — Video Conferencing/ScreenShare Down (Google Meet):

Support Staff utilize alternate service as needed

Appendix B — RTOs/RPOs

Rank	Asset	Affected Assets	Business Impact	Users	Owners	Recovery Time Objective (RTO)	Recovery Point Objective (RPO)	Comments / Gaps
1	Google Datacenters	Site	Core services	All	Engineering	4 hours	1 hour	Maintain redundancy and data replication across regions. Identify gaps in cross-regional failover and test regularly.
2	Kubernetes Clusters	Compute Engine, GKE	Application services	All	DevOps	4 hours	1 hour	Most configuration can be redeployed in a few seconds
3	MongoDB Atlas	Database	Patient data, EHRs	Engineering, Analysts	Engineering	2 hours	1 hour	Ensure MongoDB backups are consistent and aligned with legal data retention requirements.
5	CI/CD Pipeline	CircleCI	Development Operations	Engineers	DevOps	6 hours	1 hour
6	New Relic Monitoring	Monitoring	System health alerts	Engineering, Support	Engineering, Support	2 hours	1 hour	Ensure alert and data retention policies cover gaps in event history recovery.
7	User Authentication	Auth Services	Login and Access Control	Users	Security Team	1 hour	15 min
8	Slack	Communication	Team communication	All	Operations	4 hours	1 hour
9	Google Workspace	Email, Docs, Sheets	Business communication, Docs	All	Operations	6 hours	1 hour	Enable Google Workspace backup and retention policies for emails, docs, and sheets.
10	GitHub	Code Repository	Source code, repos	Engineers	Engineering	4 hours	1 hour
11	OpenAI	API Services	LLM-driven functionalities	Engineering, Support	Engineering	8 hours	1 hour	Dependency on OpenAI services; maintain clear documentation on alternative processing methods if needed.