Disaster Recovery + Business Continuity
RTO / RPO posture
Recovery time + recovery point targets per surface, backup schedules, failover regions, and the cadence of our DR drills. Banking-tier business continuity by design — not bolted on after the fact.
Per-surface RTO + RPO
| Surface | RTO | RPO | Notes |
|---|---|---|---|
| Customer dashboard (app.regunav.com) | 30 minutes | 5 minutes | Cloudflare Pages multi-region static edge + D1 + R2. |
| Compliance API (api.regunav.com) | 30 minutes | 5 minutes | Cloudflare Workers global edge + D1 replicas. |
| Code Constitution API (api.codeconstitution.com) | 30 minutes | 5 minutes | Same worker as compliance API · GitHub webhook retry handles in-flight. |
| Audit trail (WORM) | 1 hour read · 0 minutes write | 0 minutes | Append-only with multi-region S3 / R2 replication. Reads degrade gracefully; writes never lost. |
| Evidence packs (R2) | 1 hour | 0 minutes | R2 multi-region replication + Object Lock COMPLIANCE retention. |
| Log aggregator + dashboard | 2 hours | 5 minutes | Customer's GitHub logs branch is the SSOT — even if our dashboard goes dark, customers see their data via gh CLI. |
Backup posture per data layer
D1 (Postgres-compatible)
Schedule: Continuous transaction log + nightly snapshot
Retention: 30 days nightly + 7 days hourly
Restore: Point-in-time restore via wrangler d1 time-travel — verified quarterly
R2 (object storage)
Schedule: Continuous multi-zone replication within region + cross-region replication to secondary
Retention: Object Lock COMPLIANCE: 3 years (Business) / 7 years (Enterprise)
Restore: Object versions are immutable; restore is a metadata operation
ClickHouse (analytics warehouse)
Schedule: Daily full + hourly incremental to S3-compatible cold storage
Retention: 90 days full · 1 year cold
Restore: Rebuild from cold storage in < 4 hours; verified quarterly
Configuration + secrets
Schedule: Wrangler / Terraform state stored in versioned S3 with object versioning
Retention: Indefinite — config is code
Restore: git revert + redeploy
Regions + failover topology
Primary
Cloudflare global edge (270+ POPs) + R2 EU-West-1 + R2 US-East-1
All customer traffic by default
Secondary
Same Cloudflare edge + R2 secondary region per customer requirement
Automatic failover; activated by health-check failure
Cold
S3 Glacier Deep Archive + offline-encrypted backups
7-year retention floor; restore in 12 hours
DR drills
Region failover
QuarterlyBlack-box simulation: primary R2 region marked unreachable; verify reads + writes flow to secondary in < 30 minutes.
D1 point-in-time restore
QuarterlyRestore a known database to a timestamp from 24 hours prior; verify row count + audit-chain integrity post-restore.
Customer-data recovery
Semi-annuallySimulate an accidental customer deletion; restore from backup to a sandbox tenant and verify against last-known-good baseline.
Audit-trail tamper detection
ContinuousReplay engine walks the entire WORM chain; any hash mismatch generates a P1 incident.
Full DR tabletop
AnnuallyMulti-team simulation of a multi-region outage; review communications playbook, customer notification cadence, regulatory reporting timelines.
Drill results + evidence
The most recent DR drill report is published to the auditor portal each quarter under /auditor → DR drill evidence. Drill outcomes, RTO/RPO actuals vs targets, and any remediation actions are recorded in the WORM audit trail. Tier-1 customers see a deeper view via their dedicated channel.