Legal & Compliance

Business Continuity
& Disaster Recovery

Architecture, backup strategy, recovery targets, and the honest state of multi-region capability. Public summary — full operational runbook available to enterprise customers under NDA.

Document version: 1.0 · Effective: 2026-05-01 · Next review: 2027-05-01

Scope of this document: This is the public-facing BCP summary. It describes design intent, current state, and honest gaps. Enterprise customers may request the full internal operational runbook, which includes step-by-step recovery procedures, contact trees, and vendor escalation paths.

1. Architecture & Primary Region

1.1 Current production architecture

CloakAPI currently operates from a single primary region: Hetzner Cloud, Nuremberg (nbg1), Germany (EU). This is an independently certified, audited Tier III-equivalent facility operated by Hetzner Online GmbH, subject to German and EU law.

1.2 Single-region risk acknowledgement

We acknowledge that a single-region architecture creates a regional failure risk. This is a deliberate current-state trade-off for a pre-enterprise-revenue product. The mitigation strategy is the backup and recovery architecture described in Section 2, which limits data loss exposure to the RPO window. Multi-region failover is on the roadmap (Section 5).

2. Backup Strategy

2.1 Backup schedule

All persistent data is backed up every 6 hours. Backups run at 00:00, 06:00, 12:00, and 18:00 UTC.

2.2 Backup architecture

2.3 Backup scope

2.4 Backup testing

Restore procedures are documented and exercised on a target quarterly cadence: a full restore to a temporary environment with data-integrity verification, logged, with any failure investigated before the next backup cycle. This is our intended cadence as we build operating history; we will not claim a completed test record we do not yet have.

3. Recovery Targets

RTO — Recovery Time Objective
4 hours
Time to restore service from declared disaster
RPO — Recovery Point Objective
6 hours
Maximum data loss window (backup interval)
DR drill cadence
Annual
Target cadence — full end-to-end recovery test (see §6)

3.1 RTO basis

The 4-hour RTO assumes: infrastructure can be provisioned on a new host within 30–60 minutes; backup decryption and restore requires 30–90 minutes for typical data volumes; application deployment and smoke-test requires 30–60 minutes; DNS propagation and health checks require up to 30 minutes. The 4-hour figure provides margin above these estimates.

3.2 RPO basis

The 6-hour RPO reflects the backup interval — the maximum window of data created between snapshots that could be lost in a total-loss event. The 6-hour figure is the conservative target commitment. (Continuous WAL archiving, which would tighten the effective window to minutes, is on the roadmap and not yet enabled.)

4. Disaster Scenario Coverage

Scenario A
Host hardware failure or hypervisor fault
Recovery: provision new Hetzner CX43 instance (same or adjacent region), restore from latest backup, update DNS A record. Estimated time: 2–3 hours.
Scenario B
Data corruption (application or operator error)
Recovery: identify point-in-time before corruption using WAL archive, restore PostgreSQL to known-good state, validate data integrity. Estimated time: 1–3 hours depending on scope.
Scenario C
Hetzner Nuremberg region-wide outage
Recovery: provision replacement infrastructure on an alternative cloud provider (Hetzner Falkenstein or Contabo DE), restore from off-site backup host. Estimated time: 3–4 hours. This scenario tests the RTO boundary.
Scenario D
Security incident / ransomware
Recovery: isolate affected systems; restore from off-site backups (pull model prevents backup encryption by ransomware); rebuild infrastructure from IaC. Estimated time: 4 hours. Decryption keys for backups are held off-system.
Scenario E
Key person unavailability
CloakAPI is currently operated by a single operator. Operational runbooks, recovery credentials and procedures are documented and held off-system so that recovery does not depend on any single machine. Single-person dependency is a known, disclosed risk, mitigated through documentation and off-host custody; adding a named secondary operator is a roadmap item as the business grows.

5. Multi-Region Roadmap

Multi-region active-active or active-standby failover is not yet implemented. It is on the technical roadmap and will be prioritised when the first enterprise customer with a contractual multi-region requirement engages. We will not commit to a calendar date for this capability that does not reflect genuine delivery intent.

The planned architecture for multi-region uses a second Hetzner location (Helsinki or Falkenstein) with synchronous database replication and Cloudflare for traffic routing, with a target RTO of < 15 minutes and RPO of < 1 minute in active-standby mode.

6. Annual DR Drill Commitment

CloakAPI commits to performing a full end-to-end DR drill at least annually. The drill covers:

Once the first drill is completed, its report will be available to enterprise customers on request to trust@cloakapi.io. We will not publish drill results before a drill has run.

7. Customer Communication During an Outage

All incidents are communicated via status.cloakapi.io. Major incidents (SEV-1/SEV-2) also trigger email notification to billing contacts.

8. Document Review

This BCP summary is reviewed annually, or after any significant architectural change or DR drill that identifies material gaps. The next scheduled review is 2027-05-01.