← Back to Policies

Business Continuity and Disaster Recovery Plan

Business Continuity and Disaster Recovery Plan

Policy Owner: Daniel Peixoto Effective Date: Nov 9, 2024

Purpose

The purpose of this business continuity plan is to prepare Straloo Tecnologia LTDA in the event of service outages caused by factors beyond our control (e.g., natural disasters, man-made events), and to restore services to the widest extent possible in a minimum time frame.

Scope

All Straloo Tecnologia LTDA IT systems that are business critical.

This policy applies to all employees of Straloo Tecnologia LTDA and to all relevant external parties, including but not limited to Straloo Tecnologia LTDA consultants and contractors.

In the event of a loss of availability of a hosting service provider, the CTO will determine an appropriate response strategy.

General requirements

In the event of a major disruption to production services and a disaster affecting the availability and/or security of the Straloo Tecnologia LTDA office, senior managers and executive staff shall determine mitigation actions. A disaster recovery test, including a test of backup restoration processes, shall be performed on an annual basis.

Alternate work facilities If the Straloo Tecnologia LTDA office becomes unavailable due to a disaster, all staff shall work remotely from their homes or any safe location.

Communications and escalation Executive staff and senior managers should be notified of any disaster affecting Straloo Tecnologia LTDA facilities or operations.

Communications shall take place over approved channels such as Slack, email and phone.

| Roles and responsibilities | Role | Responsibility | | --- | --- | | IT Manager | The IT Manager shall lead BC/DR efforts to mitigate losses and recover the corporate network and information systems. | | Managers | Managers shall be responsible for communicating with their direct reports and providing any needed assistance for staff to continue working from alternative locations. | Continuity of critical services Procedures for maintaining continuity of critical services in a disaster can be found in Appendix A. Recovery Time Objectives (RTO) and Recovery Point Objects (RPO) can be found in Appendix B. Strategy for maintaining continuity of services can be seen in the following table: Plan activation This BC/DR shall be automatically activated in the event of the loss or unavailability of the Straloo Tecnologia LTDA office, or a natural disaster (i.e., severe weather, regional power outage, earthquake) affecting the larger Fortaleza/CE region. | | Version history | Key business process | Continuity strategy | | --- | --- | | Customer (Production) Service Delivery | Rely on GCP availability commitments and SLAs | | Email | Utilize Gmail and its distributed nature, rely on Google's standard service level agreements. | | Finance, Legal and HR | All systems are vendor-hosted SaaS applications. | | Sales and Marketing | All systems are vendor-hosted SaaS applications. | | Version | Date | Description | Author | Approver | | --- | --- | --- | --- | --- | | 1.0 | Nov 9, 2024 | Version 1.0 | Daniel Peixoto | Daniel Peixoto | Appendix A - Business continuity procedures by scenario Business Continuity Scenarios HQ Offline (power and/or network) CRM, Telephony, Video Conferencing/Screen Share & Corp Email unaffected SUPPORT unaffected HQ Staff offline (30-60 minutes) Remote Staff unaffected Procedure: 1. HQ Staff relocate to home offices (30-60 minutes) 2. |

Verify Telephony, CRM, & Email Connectivity at home offices (10 minutes) 3.

Remotely resume normal operations Disaster Event at HQ CRM, Telephony, Video Conferencing/Screen Share & Corp Email unaffected SUPPORT offline HQ Staff offline (variable impact) Remote Staff unaffected Procedure: 1.

Activate Remote Staff 2.

Notify Customer Base of impaired functions & potential delays 3.

Commandeer Field Resources for Critical Response SaaS Tools Down CRM, Telephony, Video Conferencing/Screen Share, or Corp Email Affected SUPPORT partially affected (no new cases, manual triage required) HQ Staff unaffected Remote Staff unaffected Procedure: Telephony Down 1.

Notify Customer Base to use Support Portal or Email 2.

Support Staff use Mobile Phones and/or Land Lines as needed Email Down (Gmail/Corp Email) 1.

Support Staff manually manage 'case' related communications 2.

Support Staff use alternate email accounts as needed (Hotmail) Video Conferencing/ScreenShare Down (Google Meet) 1.

| Support Staff utilize alternate service as needed Appendix B - RTOs/RPOs | Rank | Asset | Affected Assets | Business Impact | Users | Owners | Recovery Time Objective (RTO) | Recovery Point Objective (RPO) | Comments / Gaps | | --- | --- | --- | --- | --- | --- | --- | --- | --- | | 1 | Google Datacenters | Site | Core services | All | Engineering | 4 hours | 1 hour | Maintain redundancy and data replication across regions. | | Identify gaps in cross- regional failover and test regularly. | | 2 | Kubernetes Clusters | Compute Engine, GKE | Application services | All | DevOps | 4 hours | 1 hour | Most configuration can be redeployed in a few seconds | | 3 | MongoDB Atlas | Database | Patient data, EHRs | Engineering, Analysts | Engineering | 2 hours | 1 hour | Ensure MongoDB backups are consistent and aligned with legal data retention requirements. | | 5 | CI/CD Pipeline | CircleCI | Development Operations | Engineers | DevOps | 6 hours | 1 hour | | 6 | New Relic Monitoring | Monitoring | System health alerts | Engineering, Support | Engineering, Support | 2 hours | 1 hour | Ensure alert and data retention policies cover gaps in event history recovery. | | 7 | User Authentication | Auth Services | Login and Access Control | Users | Security Team | 1 hour | 15 min | | 8 | Slack | Communication | Team communication | All | Operations | 4 hours | 1 hour | | 9 | Google Workspace | Email, Docs, Sheets | Business communication, Docs | All | Operations | 6 hours | 1 hour | Enable Google Workspace backup and retention policies for emails, docs, and sheets. | | 10 | GitHub | Code Repository | Source code, repos | Engineers | Engineering | 4 hours | 1 hour | | Rank | Asset | Affected Assets | Business Impact | Users | Owners | Recovery Time Objective (RTO) | Recovery Point Objective (RPO) | Comments / Gaps | | --- | --- | --- | --- | --- | --- | --- | --- | --- | | 11 | OpenAI | API Services | LLM-driven functionalities | Engineering, Support | Engineering | 8 hours | 1 hour | Dependency on OpenAI services; maintain clear documentation on alternative processing methods if needed. |