Back to Home

Disaster Recovery Policy

Version 1.0 · Confidential · Mitigata Insurance Brokers Pvt. Ltd.

This document is confidential and intended for internal use only. All information contained herein is subject to applicable laws and regulations. Unauthorized reproduction, distribution, or disclosure of its contents is prohibited.

1. Purpose

The Disaster Recovery (DR) Policy establishes the framework, procedures, and responsibilities required to recover Alphawave Technologies Private Limited's IT systems, data, and SaaS platform services following a disruptive event. The policy ensures business resilience and protects the confidentiality, integrity, and availability of critical data. It aims to:

  • Restore critical business functions (SaaS platform, billing, customer support) within defined recovery objectives.
  • Protect customer, operational, and financial data through resilient backup and restoration practices.
  • Align with ISO 27001:2022, GDPR, CCPA, DPDPA, and CERT-In requirements.
  • Integrate with the Business Continuity Plan (BCP), Incident Management Policy, and Security Incident Response Plan (SIRP).
  • Minimize downtime, data loss, and operational impact during incidents.

2. Scope

This policy applies to:

  • All production and non-production IT systems, including endpoints, servers, network devices, applications, databases, and APIs.
  • All cloud workloads in AWS (ap-south-1 primary, ap-southeast-1 secondary), Azure, and Google Cloud.
  • All critical business functions including SaaS platform delivery, customer support, billing, and payment processing.
  • All employees, contractors, and third-party vendors involved in recovery operations.
  • Data types including customer PII, payment details, operational data, financial records, and intellectual property.

3. Roles and Responsibilities

  • BCP Coordinator (Mayank Morya, CTO) — Owns the Business Continuity Plan and approves DR strategies for critical business functions (SaaS platform, billing).
  • IT Recovery Lead (Anuj Kumar, IT Director) — Manages technical recovery, ensures controls align with RTO/RPO targets, leads DR drills.
  • Operations Head (Sarthak Dubey, COO) — Manages customer communications during outages and approves recovery decisions affecting customers.
  • Compliance Officer (GRC Manager) — Verifies regulatory compliance during and after incidents; coordinates with regulators.
  • System Administrators — Execute restore procedures, validate restored systems, and maintain backup infrastructure.
  • SOC Team — Monitors data-related activities 24x7 using SIEM and DLP tools; detects and escalates incidents triggering DR.
  • Data Protection Officer (DPO) — Coordinates breach notifications and ensures privacy compliance during recovery.
  • Third-Party Vendors — Notify Alphawave within 24 hours of incidents impacting shared services and support recovery per SLAs.

4. Recovery Objectives

Recovery targets are defined per system criticality and reviewed annually:

  • Recovery Time Objective (RTO) — Maximum acceptable downtime before restoration of a critical function. Critical systems (SaaS platform, billing): 4 hours.
  • Recovery Point Objective (RPO) — Maximum acceptable data loss. Critical systems: 1 hour.
  • Containment of affected systems during a breach: within 1 hour.
  • Restore from backups during a breach: within 90 minutes (per SIRP).
  • Customer notification of confirmed personal data breaches: within 24 hours.
  • Regulatory notification — CERT-In within 6 hours for critical incidents; GDPR authorities within 72 hours.

5. Backup Strategy

5.1 Backup Frequency and Storage

  • Schedule daily backups of critical data (customer databases, billing records) to encrypted, off-site storage.
  • Use encrypted S3 buckets with versioning for backups.
  • Maintain geo-redundant backups across AWS regions (ap-south-1, ap-southeast-1).
  • Use cloud-based archives (e.g., AWS S3 Glacier) with geo-redundancy and encryption for long-term retention.

5.2 Encryption and Access

  • Encrypt backup data at rest with AES-256 and in transit with TLS 1.3.
  • Restrict backup access to authorized personnel with MFA and Privileged Access Management (PAM) controls.
  • Maintain metadata for retrievability (data type, retention period, access history).

5.3 Backup Integrity Testing

  • Test backup integrity and restoration processes quarterly.
  • Verify restored data for integrity and security before resuming operations.
  • Document test results and remediate failures within 30 days.

6. Recovery Procedures

6.1 Activation

  • DR plan activated by the IT Recovery Lead upon confirmation of a qualifying disruptive event (major outage, ransomware, regional cloud failure, confirmed data breach).
  • BCP Coordinator notified within 30 minutes of activation.
  • SOC Team continues 24x7 monitoring using SIEM and DLP tools throughout the recovery window.

6.2 Containment and Restoration

  • Isolate affected systems within 1 hour to prevent further damage or data loss.
  • Restore critical services from the most recent verified backup, respecting RTO/RPO targets.
  • For breach-driven recovery, follow the SIRP for containment, eradication, and recovery (restore from backups within 90 minutes).
  • Validate data integrity, encryption, and access controls before bringing systems back online.

6.3 Failover

  • For regional failure in AWS ap-south-1, fail over to ap-southeast-1 geo-redundant infrastructure.
  • Ensure customer data localization (DPDPA) is maintained or obtain explicit consent where cross-region failover requires it.
  • Verify DNS, API endpoints, and authentication services post-failover.

6.4 Communication

  • Notify affected customers within 24 hours of confirmed personal data breaches via email, status page, and social media.
  • Report to CERT-In within 6 hours for critical incidents; GDPR authorities within 72 hours; DPDPA per Indian timelines.
  • Operations Head leads customer-facing communications; DPO leads regulatory notifications.

7. DR Testing and Drills

  • Conduct annual tabletop exercises simulating data breach and outage scenarios, involving the IRT, IT Recovery Lead, BCP Coordinator, and DPO.
  • Conduct quarterly backup restoration tests in non-production environments.
  • Review DR controls during BCP testing and incident response drills (per BCP Coordinator).
  • Document test outcomes, lessons learned, and remediation actions in a secure AWS S3 bucket.

8. Post-Incident Review

  • Conduct a post-incident review within 72 hours of resolution, documenting timeline, impact, root cause, and lessons learned.
  • Update risk assessments and mitigation plans per the Risk Remediation Plan.
  • Update training content and DR procedures based on findings.
  • Maintain detailed incident records, including breach impact, response actions, and stakeholder notifications.

9. Third-Party Dependencies

  • Require vendors handling shared services to provide SOC 2 Type II, ISO 27001, or equivalent certifications.
  • Include DR and incident notification clauses (within 24 hours) in vendor contracts and DPAs.
  • Assess vendor recovery capabilities during annual vendor audits.
  • Ensure AWS Shared Responsibility Model compliance is reviewed quarterly.

10. Training and Awareness

  • IT staff trained on encryption, DLP, backup, and recovery processes (semi-annual sessions plus annual refreshers).
  • Customer Support trained on outage and breach communication protocols.
  • Annual mandatory training for all employees and contractors covering DR roles, breach reporting, and recovery procedures.
  • Vendors required to complete annual training covering Alphawave's policies, regulatory obligations, and incident reporting.

11. Compliance and Auditing

  • Annual audits by internal teams and CERT-In empaneled auditors; quarterly internal reviews.
  • Verify backup integrity, restoration capability, encryption, and access controls.
  • Address critical audit findings within 30 days, non-critical within 90 days.
  • Maintain a compliance register documenting DR tests, incidents, audits, and regulatory communications.

12. Policy Review and Updates

  • Review the policy annually or after regulatory changes (DPDPA, GDPR updates), significant incidents (major outage, breach), or technology changes (new cloud services, cloud migrations).
  • Reviews led by the IT Recovery Lead with the BCP Coordinator, Compliance Officer, and DPO.
  • Updates approved by the Compliance Officer and senior management.
  • Communicate updates via email, training sessions, and the employee portal; require acknowledgment from all personnel.
  • Maintain a version control log with change details, approvers, and implementation dates.

IT Recovery Lead

itops@mitigata.com

Security Incidents

security@mitigata.com

Registered Office

Second Floor, Gayathri Mansion, 80/3, Outer Ring Rd, Bellandur, Bengaluru, Karnataka 560103

Mitigata Insurance Brokers Pvt. Ltd.

A subsidiary of Alphawave Technologies Private Limited

IRDAI Registration No.: IRDAI/INT/BRK/DB 1115/2024CIN: U66220KA2024PTC186580