Cleverly Backup Policy

Last Updated: January 27th, 2025

1. Purpose and Scope

This Backup Policy (the “Policy”) outlines the procedures and responsibilities for backing up and restoring data held by Cleverly (“the Company”). It is designed to:

• Ensure availability and recoverability of data in the event of system failure, cyber-attack, or other disruptive incidents.
• Comply with applicable legal and regulatory requirements, including the Data Protection Act 2018 and the UK General Data Protection Regulation (UK GDPR), as they apply in England and Wales.

This Policy applies to all production data, systems, and services owned or managed by Cleverly. It governs data hosted in the Company’s Amazon Web Services (AWS) environment and any related third-party infrastructure where the Company has control or contractual provisions.

2. Roles and Responsibilities

1. Data Protection Officer (DPO) or equivalent role

   • Ensures the Policy aligns with data protection laws and regulations.
   • Oversees compliance with this Policy, including periodic reviews.
     
     

2. Infrastructure/DevOps Team

   • Implements and maintains backup and recovery procedures.
   • Conducts backup and recovery tests.
   • Monitors backup schedules and investigates any reported failures or anomalies.
     
     

3. Information Security Officer 

   • Ensures security measures for backup data are adequate.
   • Manages encryption, access control, and related security protocols.
     
     

4. All Employees and Contractors

   • Adhere to this Policy and follow instructions related to data handling.
   • Report any suspected data loss or compromise to the Infrastructure/DevOps Team.
     
     

3. Backup Policy Statement

Cleverly recognises that maintaining reliable backups is critical for business continuity, data integrity, and compliance with legal obligations. Backups will be performed in a manner that is consistent with:

• Data Protection Act 2018 and UK GDPR, ensuring the confidentiality, integrity, and availability of personal data.
• Industry best practices for secure backup management and encryption.
  
  

4. Backup Methodology

1. Location of Backups

   • Backups are stored on Amazon Web Services (AWS) infrastructure in the London region (“eu-west-2”).
   • Additional secure storage mechanisms may be used if required to maintain data redundancy and resilience.
     
     

2. Backup Frequency

   • Daily Snapshots: Cleverly takes daily snapshots of the Company’s production databases between 3:00 and 3:30 am UTC.
   • Additional Backups: Ad-hoc or more frequent backups may be taken in response to major system changes, patches, or specific client requirements.
     
     

3. Backup Retention

   • Daily snapshots are retained for six (6) days.
   • The Company regularly reviews retention periods to ensure consistency with legal, regulatory, and operational requirements.
     
     

4. Data Scope

   • Databases: All production databases residing in AWS RDS.
   • File Storage: Critical file data stored in AWS S3 buckets, protected under Key Management Services (KMS).
   • Configuration: Certain critical configurations and code repositories maintained in GitHub and subject to version control. Although GitHub is not a primary backup mechanism, it functions as part of Cleverly's disaster recovery plan for code and deployment pipelines.
     
     

5. Encryption and Security

   • All backups are encrypted at rest using AWS Key Management Service (KMS).
   • Access to backup data is restricted via AWS Identity and Access Management (IAM), employing role-based access control (RBAC), least privilege principles, and multi-factor authentication (MFA).
     
     

6. Physical Security

   • As backups are stored in AWS data centres, physical security is governed by AWS’s own robust security controls and certifications (e.g., ISO 27001, SOC 2).
     
     

5. Restoration and Recovery

1. Recovery Objectives

   • Recovery Point Objective (RPO): Up to 24 hours of data could be lost in a worst-case scenario (given daily backups).
   • Recovery Time Objective (RTO): Aim to restore services within a minimal time frame (usually a few hours) after a disruptive event.
     
     

2. Recovery Testing

   • Daily Recovery Tests: The Infrastructure/DevOps Team performs daily recovery tests to verify that backups are consistent and can be restored quickly in the event of a failure.
   • Annual Disaster Recovery Drills: In addition to daily tests, the Company conducts more comprehensive disaster recovery drills at least once a year to validate the overall business continuity plan.
     
     

3. Restoration Procedure

   • Initiation: Restoration may be initiated by the Infrastructure/DevOps Team upon detection of data corruption, system compromise, or other critical service failures.
   • Execution: The relevant snapshot in AWS RDS is identified, provisioned, and tested before final restoration to live environments.
   • Verification: After restoration, the data’s integrity is verified, and services are tested to ensure full functionality.
   • Documentation: All restoration activities are logged, including date/time, reason for restore, personnel involved, and outcome.
     
     

4. Incident Response

   • If data loss or corruption is discovered, the incident response plan is triggered. This includes notifying relevant stakeholders, implementing corrective measures, and documenting root cause analysis.
     
     

6. Access Controls and Auditing

1. Access to Backup Data

   • Limited to authorised personnel within the Infrastructure/DevOps Team and Information Security Officer.
   • Permissioning is enforced through Identity and Access Management (IAM) roles, ensuring principle of least privilege.
     
     

2. Audit Trails

   • Access attempts and modifications to backup data are logged using AWS CloudTrail.
   • Logs are regularly reviewed to detect unauthorised or unusual activities.
   • Audit logs can be provided, upon request and proper authorisation, in an anonymised form to protect privacy while offering necessary transparency.
     
     

7. Legal and Regulatory Compliance

1. Data Protection

   • The Company ensures that personal data, if stored in backups, is handled in compliance with the Data Protection Act 2018 and the UK GDPR.
   • Data subjects’ rights (e.g., right to erasure) are observed to the extent feasible for backup data, noting that restoring a backup may temporarily reinstate deleted data before it is once again removed or anonymised.
     
     

2. Retention Obligations

   • Data retention shall adhere to contractual and statutory obligations. Where required, backups may be retained longer or disposed of sooner, subject to legal and regulatory requirements.
     
     

3. Oversight and Review

   • This Policy is reviewed annually, or when material changes to the Company’s infrastructure, regulatory environment, or business requirements occur.
   • Revisions are approved by senior management, with guidance from the DPO (or equivalent).
     
     

8. Training and Awareness

• All relevant staff receive periodic training on backup and recovery procedures, data protection responsibilities, and security best practices.
• New employees and contractors undergo an onboarding process that includes an overview of this Policy.
  
  

9. Policy Violations

Failure to comply with this Policy may result in disciplinary action, up to and including termination of employment or contract. In cases of suspected legal violations, the Company may involve external authorities or pursue legal remedies.

10. Document Control

• Document Owner: Adam Edgell-Bush
• Approval Authority: Director
• Next Scheduled Review: January, 2026