Customer Data Backup Policy – Ending 18th August 2017 at 23:59
This customer data backup policy addresses
- A disaster occurring at the primary site
- Hardware failure
- Cybercrime (deletion or modification of data)
- Accidental deletion or modification of data
The table below identifies the main risks for data loss and the policy identified for managing the risk
|Data loss risk||Policy|
|A disaster occurring at the primary site (fire, flood, explosion, network etc.)||
|Hardware failure (database)||
|Hardware failure (server)||
|Hardware failure (network file system)||
|Cybercrime (deletion or modification of data)Accidental deletion or modification of data||
Physical Locations of Data Storage
Customer data is stored at two locations in the UK. Both premises deploy 24/7/365 manned security with CCTV surveillance.
- Primary site – Here, data is stored on our own equipment and co-located in a private locked cabinet at a TelecityGroup owned “Tier 2” data centre in Manchester.
- Disaster recovery Site (DRS) – Here, data is stored on our own equipment, housed in a locked cabinet in a dedicated, locked environment at Node4, Wakefield.
Customer Data Backup
Customer data is stored as either live “database data” in the application database on the database server or as “file data” on the network file system.
The network file system is comprised of two physical servers (one at the primary site and one at the DRS) that are made available in a high-availability failover cluster using Microsoft Distributed File System.
All servers use RAID technology to distribute customer data across an array of hard drives to limit the impact of a single drive failure. Each server utilises at least one ‘Hot Spare’ so that in the event of a single drive failure, the hot spare drive is automatically deployed at the earliest possible opportunity.
Database data comprises:
- the list of authorised users, their personal data and their configuration settings
- an activity log of key events as undertaken by the authorised users
- organisational parameters and configuration settings
- security settings and access permissions granted to authorised users
- details of assessments, reviews, plans, progress and signatures recorded by authorised users
The following rules are applied when backing up database data:
- Database data is backed up in full at 3am daily and incrementally every 15 minutes, 7 days a week, 365 days a year.
- The backup files are transferred to the network file system and replicated to the DRS on a continuous basis. Personnel manually verify replication success twice a day.
- The retention policy for expired database data is 90 days.
File data (documents, movies, audio, photographs etc.) comprises:
- the files that the customer has provided for its authorised users
- the files that the authorised users have provided as assessment evidence
- other files that authorised users have uploaded for private or public online access
- the backup files containing the database data
The following rules are applied to backing up file data:
- File data is stored on the network file system that is comprised of two physical servers (one at the primary site and one at the DRS). The network file system is made available in a high-availability failover cluster using Microsoft Distributed File System. Files at the DRS are backed up to disk every 15 minutes using a dedicated backup server.
- All servers hosting customer data are encrypted to AES-256bit standard using Microsoft Bitlocker with hardware-based Trusted Platform Modules protecting system drives and data drives. This level of encryption is designed to protect the disks should they be stolen as they cannot be read in another system without a special recovery key.
- User passwords in the database are encrypted irreversibly so that personnel or end-users cannot read them.
- Customer data moving between our servers and user browsers is encrypted using a 2048-bit strength certificate.
- Customer data moving between the data centre and our offices is encrypted using an IPSec VPN (virtual private network).
- File data (Eportfolio data) is retained for the period stipulated by the awarding body (usually 5 years) or the funding body (usually 6 years), whichever is the greater. Customers may request the deletion of eportfolios before this period by giving written instruction.
- Copies of database backup files are kept for 90 days before being deleted.
Restore & Recoverability
- Identical database server hardware is located at the DRS and can be relocated to the primary site with a full restore of the most current data and made operational within an hour.
- It can be made operational at the DRS within 15 minutes.
Disaster Recovery Site (DRS)
- Senior management will make the decision to elevate the DRS after gathering intelligence and reviewing all available options
- We aim to have a fully functioning operational service within 30 minutes of making a decision to elevate the DRS.
- External routing to the DRS is activated by updating our Domain Name Service records.
Customer Data Backup Policy – Effective 19th August 2017
This backup policy describes the conditions and archiving procedures in which Onefile Ltd (“we”) backup and archive the data that you upload and store in our online software applications (“Customer Data”).
This policy is only applicable to customers with an active contract supported by a written agreement (the “Agreement”).
|“Backup”||Means any copy of the Customer Data that is taken on a regular basis and stored in a secure location and is further defined in section 5;|
|“Backup Retention Period”||Means the amount of time in days that we hold Backups for in the event of DR;|
|“DR”||Means disaster recovery and is the approach taken to recover services in the event of an Incident;|
|“Incident”||Means an event that affects either the availability, confidentiality or integrity of the Customer Data;|
|“RPO”||Means the recovery point objective as defined in section 4 which is the targeted maximum age of Customer Data that may be unrecoverable following an incident;|
|“RTO”||Means the recovery time objective as defined in section 4 which is the targeted maximum duration of time for the Services to be fully restored following any incident;|
|“Services”||Shall have its meaning as defined in the Agreement|
4. Backup Objectives
4.1 The RPO is 30 minutes.
4.2 The RTO is 30 minutes.
4.3 The Backup Retention Period is 90 days.
5. Policy Principles
5.1 Backups are used by OneFile for recovering data in the event of an Incident.
5.2 Backups are stored in UK data centres certified to ISO27001 standard and will never be moved outside the UK or a location that does not meet this standard, unless otherwise explicitly stated in your agreement.
5.3 Backups consist of:
5.3.1 Database Backups which are taken throughout the day at intervals no less than the RPO and copied to a DR data centre located within the UK
5.3.2 File backup copies which are taken throughout the day, and stored at a DR data centre
5.4 Backups from the previous day are tested each day to ensure they are valid.
5.5 Only named employees of Onefile Ltd have access to Backups.
5.6 Files are stored in an encrypted form when saved to the storage system.
5.7 The DR site data centre is maintained with equivalent capabilities as the production data centre to ensure the continuation of service performance in the event of a serious incident.
This policy is version 2 and was last updated on 3 July 2017. Any amendments to this policy will be notified to customers with 30 days’ notice.
Also see: Information Security Policy.