| Document ID | ISMS-POL-002 |
| Version | 0.1 |
| Status | Draft |
| Classification | Internal |
| Owner | Information Security Officer |
| Approved by | Managing Director |
| Approval date | pending |
| Effective from | pending |
| Next review | pending — annually, or on material change |
| Supersedes | — (initial issue) |
| Annex A controls | A.8.13 (Information backup), A.5.30 (ICT readiness for business continuity), A.8.24 (Use of cryptography), A.8.10 (Information deletion) |
Backup is the central service that BackupExperts delivers to its
customers, and the foundation on which we recover from incidents
affecting our own infrastructure. This policy sets the requirements
that every backup arrangement — for customer data and for BackupExperts'
own data — must meet.
This policy applies to:
| Layer | Where | What |
|---|---|---|
| Customer-side primary | Customer site | Veeam Backup & Replication with a local-copy job to a customer-side repository. Owned by the customer; accessible to BackupExperts under the service contract. |
| Off-site copy | BackupExperts basement, Oelsnitz/Erzgebirge | MinIO S3 endpoint, NAS-backed, receives the offload from customer Veeam jobs. This is the off-site copy from the customer's perspective. S3 Object Lock is the immutability mechanism for buckets where it is enabled. |
| Off-site copy from BackupExperts | Not yet implemented | A second off-site copy of the basement MinIO data is on the risk register (planned) as a high-priority gap. Until implemented, loss of the basement is the dominant residual backup-availability risk. |
BackupExperts apps and tooling (tenant Wiki.js instances, monitoring,
the wiki-cms toolchain) are hosted at Hetzner Online GmbH and are
not part of the customer-data backup path; they are protected by
their own backup arrangement documented separately in the
Business Continuity Plan (planned).
Recovery Point Objective (RPO) and Recovery Time Objective (RTO) are
contractually committed per service tier. The current tier matrix is
maintained in Continuity → RTO/RPO (planned).
Customer-specific values, where they deviate from the standard tier,
are recorded in the customer's onboarding document.
A backup configuration that cannot meet the contracted RPO or RTO is a
nonconformity and is logged in Audits → Nonconformities
(planned) with a corrective action.
Retention periods are set per service tier and per data class. Default
minimums:
| Data class | Default minimum retention |
|---|---|
| Customer production data | Per service contract (typically ≥ 30 days, with a longer monthly archive tail) |
| Customer system state / config | ≥ 30 days |
| BackupExperts ISMS records | ≥ 3 years (longer where law or contract requires) |
| Logs and operational telemetry | ≥ 12 months |
Retention beyond the contracted period is not authorised. Data past
retention is deleted under the data deletion procedure
(planned) with evidence captured in the change log
(planned).
| Restore class | Minimum test cadence |
|---|---|
| File / object level restore from any tier | Quarterly per customer |
| Full-system / image restore on premium tiers | Annually per customer |
| BackupExperts internal critical-system restore | Annually |
| End-to-end DR exercise (loss-of-region scenario) | Annually |
Tests follow the Restore Procedure and
their outcomes are recorded in the backup test log
(planned).
A restore test is not considered passed until:
Every backup job in scope is monitored. Failure of a backup job, or
absence of an expected job within its scheduling window, generates an
alert that is acknowledged by an on-call operator. Persistent failure
beyond a defined threshold escalates per the Incident Response Policy.
| Role | Responsibility |
|---|---|
| Information Security Officer | Owns this policy. Reviews backup test outcomes, raises nonconformities, reports KPIs to management review. |
| Operations lead (per shift / on-call) | Acknowledges and resolves backup alerts; escalates per incident policy. |
| Customer technical contact at BackupExperts | Maintains the customer's backup configuration document; ensures tier and reality match. |
| Managing Director | Approves deviations from this policy by formal exception. |
Any deviation from this policy — including reduced encryption, reduced
retention, reduced restore-test cadence — requires a written exception
approved by the Managing Director, with a stated end date and
compensating controls. Exceptions are recorded in the risk register and
re-evaluated at every management review.
This policy is evidenced by: