Backup Policy

Version: 1.1
Status: Approved
Last modified: April 2025
Next Review Date: October 2025

ISO Statement

oboloo Limited is actively aligning with ISO/IEC 27001:2022 and has implemented this Backup Policy in accordance with Annex A control A.12.3.1 (Information Backup), as well as A.17.1.3 (Testing of backups), and A.9.4 / A.10.1 (Access control and encryption). This policy defines how critical systems and data are backed up, stored, retained, and recovered to support business continuity and information resilience.

Introduction

This Backup Policy defines the standards and responsibilities for the secure backup, storage, and recovery of oboloo Limited’s data and systems. It ensures that business-critical information is protected against loss or damage and can be restored in the event of an incident such as system failure, data corruption, or cyberattack.

Definitions

  • Backup: A copy of data or system information created for recovery and continuity purposes.

  • Disaster Recovery: The processes involved in restoring operations after a disruption.

  • Critical Data: Any information essential to business operations, including customer data, application configurations, and financial records.

  • Retention Period: The amount of time backup data is preserved before secure disposal.

Who We Are and How to Contact Us

This policy is issued by oboloo Limited, a company registered in England and Wales (Company Number: 12420854), with its trading address at:

7 Bell Yard, London, England, WC2A 2JR

If you have any questions about this policy, please contact us at:
📧 hello@oboloo.com

Acceptance of Terms

By accessing or managing systems, infrastructure, or data governed by this policy, you acknowledge and agree to the terms of this Backup Policy. Failure to comply may result in disciplinary or legal action.

Changes to This Policy

oboloo may revise this policy periodically. All updates will be communicated to staff and service providers where applicable. The latest version will always be accessible on the company intranet or upon request.

Related Policies

This policy should be read alongside the following:

Purpose

The purpose of this policy is to:

  • Ensure the reliable backup of critical information assets.

  • Maintain business continuity and operational resilience.

  • Protect against accidental or malicious data loss.

  • Support compliance with ISO/IEC 27001:2022 and applicable legal or contractual requirements.

Scope

This policy applies to:

  • All production systems and applications containing customer or internal data.

  • All databases, file servers, cloud storage services, and hosted environments under oboloo’s control.

  • All employees, contractors, and third parties involved in backup processes.

Backup Procedures

Frequency

  • Production Databases: Daily incremental backups and weekly full backups.

  • Application Configurations & Logs: Backed up weekly or after significant changes.

  • Documents and Shared Storage: Backed up nightly.

Storage

  • Backups are encrypted in transit and at rest.

  • Data is stored in secure, access-controlled, geographically separate locations.

  • Redundant copies are maintained to support disaster recovery objectives.

Retention

  • Backups are retained for a minimum of 30 days, with longer retention available for contractual or legal compliance.

  • Retention schedules are reviewed annually and updated as necessary.

Disposal

  • When no longer required, backup data is securely deleted or destroyed using approved erasure methods.

  • Backup media (if used) is disposed of via certified destruction providers or hardware sanitisation procedures.

Testing and Validation

  • Backup restore tests are conducted at least twice per year.

  • Tests include random file restores, full system recovery simulations, and verification of data integrity.

  • Results are documented and reviewed by the Head of Security and retained for audit.

Roles and Responsibilities

  • Dev Lead: Ensures automation and success of daily/weekly backup jobs.

  • Head of Security: Oversees testing, documentation, and audit readiness.

  • System Owners: Define backup needs for new or updated systems.

  • IT Team: Performs regular validation and responds to incidents requiring restoration.

Reporting Violations

  • Any suspected or actual breach of this policy must be reported immediately to the Data Protection Officer at hello@oboloo.com. No employee will face retaliation for reporting violations in good faith.

ISO/IEC 27001 Annex A Mapping

Policy Section ISO/IEC 27001 Control Ref Description
Backup Strategy
A.12.3.1
Information backup and retention
Testing & Validation
A.17.1.3
Verifying recoverability of data
Access & Security
A.9.4 / A.10.1
Access control and encryption

Review and Update of the Methodology

Review and Update of the Methodology

  • Review Cycle: Every 6 months or following major infrastructure changes.

  • Change Management: All policy changes are logged and communicated to affected personnel.

  • Training: Staff involved in backup processes receive appropriate training.

Document Control

Version: 1.1
Date: April 2025
Description: Initial backup policy aligned to ISO/IEC 27001:2022