Purpose
This policy defines EXG's approach to data backup, system recovery, and business continuity across all technology systems.
Scope
This policy covers all EXG-operated technology systems including:
- Department hubs (Compliance, E-commerce, Recon, Intranet)
- Connected third-party business systems (Zoho, Xero, Shopify, Amazon)
- Consumer-facing sites (Peekos, The Vault)
Legal & Regulatory Obligations
This policy supports EXG's compliance with the following UK legal and regulatory requirements.
UK GDPR & Data Protection Act 2018
EXG is registered with the Information Commissioner's Office (ICO) as a data controller. Under UK GDPR Article 32, EXG is required to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk — including measures to protect against accidental loss, destruction, or damage to personal data. This policy constitutes part of those measures.
EXG processes personal data across several systems:
- Employee data — HR records, payroll, employment contracts (SharePoint)
- Customer/partner data — order data, contact details (Zoho Inventory, Shopify)
- Financial data — invoices containing personal identifiers (Xero, Zoho)
The Digital & Technology Director (Lauren Bath — lauren@exgpro.com) is the designated lead for data protection matters and personal data breach response.
Mandatory Record Retention Periods
The following minimum retention periods apply under UK law. Backup and export schedules must be configured to meet these minimums.
| Record Type | Minimum Retention | Legal Basis |
|---|---|---|
| Financial records (Xero exports, invoices, accounts) | 6 years from end of accounting period | Companies Act 2006 / HMRC |
| VAT records | 6 years | HMRC VAT Notice 700/21 |
| Payroll records | 3 years after the tax year they relate to | HMRC PAYE regulations |
| Employment contracts & HR records | 6 years after employment ends | Employment law / UK GDPR |
| Contracts & commercial agreements | 6 years after expiry | Limitation Act 1980 |
| Customer order data | Duration of relationship + 6 years | UK GDPR / Limitation Act 1980 |
Current gap to address: Financial exports from Xero and Zoho are retained on SharePoint on a rolling basis. Finance team must ensure exports are not deleted before the 6-year minimum is met.
Disaster Response Framework
What Constitutes a Disaster
A disaster is any event that causes an EXG location or its IT services to become unavailable to the extent that normal operations cannot be maintained, including:
- Physical destruction of, or inability to access, the primary workplace
- IT infrastructure or cloud services unavailable for a period that would breach recovery time objectives
- Loss or corruption of critical business data
Scenario Classification
| Scenario | Description | Typical Causes |
|---|---|---|
| 1 — Building Inaccessible | Building intact but inaccessible or insufficiently staffed | Civil unrest, pandemic, flooding or fire in surrounding area, strike |
| 2 — IT Infrastructure Temporarily Unavailable | Building intact; IT services down | Power outage, WAN/LAN failure, cloud service outage breaching RTO |
| 3 — Total or Partial Building Loss | Building destroyed or critically damaged | Fire, natural disaster, structural failure |
EXG's position: All core systems are cloud-based — Microsoft 365, SharePoint, Teams, OneDrive, and all department hubs hosted on Netlify and managed providers. For Scenarios 1 and 3, staff relocate to home working; email, Teams, SharePoint, and OneDrive continue to function from any location with no recovery action required.
Roles & Responsibilities
| Role | Assigned To | Responsibilities |
|---|---|---|
| ERT Lead | Alan Fenwick / Julie Fenwick | Declares disaster, activates DRP, makes final decisions, coordinates communications |
| Emergency Response Team (ERT) | Management Board + Xenace | Assesses damage, coordinates recovery, invokes ISCP for IT systems, communicates status to teams |
| IT Service Owner | Xenace Ltd — 0333 444 4402 | Primary IT recovery contact; manages full Microsoft 365 suite (Exchange, SharePoint, OneDrive, Teams, Azure AD), hardware infrastructure, and coordinates cloud service recovery |
| HR Coordinator | Melanie Knight | Staff welfare, welfare monitoring, resourcing support during extended outage |
| Recovery Team | Department leads + Xenace | Operational recovery — ensures systems return to agreed service levels, reports progress to ERT |
Authorised Plan Activators
The following people are authorised to declare a disaster and activate this plan:
| Name | Role |
|---|---|
| Alan Fenwick | CEO |
| Julie Fenwick | Chief Operations Officer |
| Lauren Bath | Digital & Technology Director |
Plan Activation & Notification
- The person who first detects the event contacts the ERT Lead
- The ERT Lead, with input from Xenace, assesses the situation and assigns a scenario (1, 2, or 3)
- If the event meets the disaster definition, the ERT Lead formally declares a disaster
- The ERT notifies relevant department leads and Xenace — recovery teams begin procedures per the assigned scenario
- Staff not directly involved in recovery are notified via Teams / email with a status update
- Progress updates are issued at regular intervals until the disaster is deactivated
Damage Assessment
Before recovery begins, the ERT and Xenace jointly assess:
- Which systems, people, and locations are affected
- Estimated duration of outage: < 1 hr / 1–12 hrs / 12–48 hrs / > 48 hrs
- Business impact — which operations are degraded or stopped
- Whether formal DRP activation is warranted or the incident can be resolved under normal IT support procedures
Recovery → Restoration → Deactivation
| Phase | Description |
|---|---|
| Recovery | IT systems and working arrangements restored to a functional state (potentially secondary/home). See Disaster Recovery Procedures below. |
| Restoration | Once the primary location or systems are available, operations return to normal. ERT Lead notifies all staff. |
| Deactivation | ERT Lead formally declares the end of the disaster once all critical functions are fully restored. |
Data Classification
| Class | Description | Examples |
|---|---|---|
| Critical | Loss causes business disruption; unrecoverable without backup | PostgreSQL databases, OAuth tokens, API credentials |
| Important | Recoverable but time-consuming to rebuild | Reconciliation records, configuration files |
| Low | Recoverable from source with minimal effort | Source code (Git), static build artefacts |
Backup Policy by System Type
Static SPA Hubs
(Compliance Hub, E-commerce Hub, Peekos Product Site, The Vault)
| Asset | Backup Method | Frequency | RTO | RPO |
|---|---|---|---|---|
| Source code | Git repository | Every commit | Minutes | Zero |
| Netlify build artefacts | Netlify retains previous deploys; instant rollback | Automatic | Minutes | N/A |
| API credentials & env vars | Secure password manager (1Password / Bitwarden) | On change | Minutes | N/A |
No database backups required — these hubs hold no persistent data.
Full-Stack Hubs
(Recon Hub, Intranet Hub — when PostgreSQL is provisioned at go-live)
| Asset | Backup Method | Frequency | RTO | RPO |
|---|---|---|---|---|
| PostgreSQL database | Managed provider automated backups with point-in-time recovery (PITR) | Continuous / Daily | ~30 minutes | Minutes–24 hours |
| Redis (Recon Hub) | RDB snapshots or accept session loss on restart | Restart-safe | Minutes | Session data only |
| Xero OAuth token | Stored as environment variable in hosting platform | On change | Minutes | Re-authenticate |
| Source code | Git repository | Every commit | Minutes | Zero |
| Environment variables | Documented in secure password manager | On change | Minutes | N/A |
Managed database provider: EXG uses a managed PostgreSQL provider (Railway / Supabase / Render) for all full-stack hubs. These providers include automated daily backups, point-in-time recovery, and off-site storage — removing the need for manual pg_dump scripts. Backups are retained for a minimum of 7 days. The managed provider acts as the off-site backup storage location for all database assets.
Zoho Inventory — Master ERP
Zoho Inventory is EXG's single source of truth for stock, orders, purchase orders, and fulfilment. It is the most operationally critical system in the EXG stack.
| Asset | Backup Method | Frequency | RTO | RPO |
|---|---|---|---|---|
| All Zoho data | Zoho platform backups (vendor-managed, EU data centre) | Continuous | Per Zoho SLA | Per Zoho SLA |
| Data exports | CSV/Excel export stored in SharePoint | Monthly minimum | N/A | 30 days |
| API credentials | Documented in secure password manager | On change | Minutes | N/A |
EXG responsibilities:
- Retain monthly data exports of inventory, sales orders, and purchase orders — saved to the designated SharePoint backup folder. Exports must be retained for a minimum of 6 years (HMRC / Companies Act 2006)
- Ensure the Zoho organisation (ID:
20102609662, EU data centre) remains on an active paid plan — data access is suspended on plan lapse - Document all Zoho API credentials (Client ID, Client Secret, OAuth tokens) in the shared secrets manager
- In the event of a Zoho outage, operations revert to manual order processing until service is restored
Operational impact of outage: High — inventory visibility, order processing, and all connected hub integrations (Compliance Hub, E-commerce Hub, Recon Hub) are affected.
Xero — Financial System of Record
Xero holds all EXG financial transactions, invoices, and accounting records. It is the system of record for statutory reporting and audit purposes.
| Asset | Backup Method | Frequency | RTO | RPO |
|---|---|---|---|---|
| All Xero data | Xero platform backups (vendor-managed) | Continuous | Per Xero SLA | Per Xero SLA |
| Financial reports | Manual export of P&L, balance sheet, aged receivables/payables | Quarterly minimum | N/A | 90 days |
| Transaction data | Xero API export or CSV via dashboard | Monthly minimum | N/A | 30 days |
| OAuth token (Recon Hub) | Stored as environment variable on hosting platform | On change | Minutes | Re-authenticate |
EXG responsibilities:
- Retain quarterly exports of key financial reports (P&L, balance sheet) — saved to the designated SharePoint backup folder as an independent audit trail. Retain for a minimum of 6 years (Companies Act 2006 / HMRC)
- Retain monthly transaction data exports in SharePoint — minimum 6-year retention applies
- Ensure the Xero subscription remains active — historical data is inaccessible on plan lapse
- Document Xero OAuth credentials used by the Recon Hub in the shared secrets manager
- In the event of a Xero outage, financial reporting and reconciliation are suspended until service is restored; invoicing reverts to manual processes
Operational impact of outage: Medium — day-to-day operations continue but financial visibility and reconciliation (Recon Hub) are unavailable.
Other Third-Party Business Systems
(Shopify Plus, Amazon, Fathom, A2X)
These systems are managed by their respective vendors and include built-in data retention. EXG's responsibility is limited to:
- Maintaining valid API credentials and OAuth tokens documented in the shared secrets manager
- Retaining Shopify order exports periodically as an independent record
- Ensuring platform subscriptions remain active
Disaster Recovery Procedures
Scenario 1 — Static Hub Outage (Netlify)
Trigger: Netlify outage, failed deploy, or accidental deletion.
- Log in to the Netlify dashboard
- Navigate to the affected site → Deploys tab
- Click Publish deploy on the last known-good deployment
- If the repo is intact, trigger a fresh deploy from Git
Estimated RTO: 5–15 minutes
Scenario 2 — Full-Stack Hub Database Loss (Recon Hub / Intranet)
Trigger: Database corruption, accidental table drop, or provider failure.
- Identify the most recent clean backup (managed provider dashboard or
pg_dumpfile) - Provision a clean PostgreSQL instance if required
- Restore from backup:
psql $DATABASE_URL < backup.sql - Update
DATABASE_URLenvironment variable if the instance has changed - Redeploy the application
- Verify data integrity via the application UI
Estimated RTO: 2–4 hours | RPO: 24 hours (daily backup cadence)
With managed PITR: RTO ~30 minutes
Scenario 3 — Complete Environment Loss
Trigger: Hosting provider failure or accidental project deletion.
- Clone source code from Git repository
- Re-provision hosting on Netlify
- Restore all environment variables from the shared secrets manager
- For full-stack hubs: provision PostgreSQL and Redis, restore DB from backup
- Run
npm install && npm run buildfor each hub - Reconnect custom domains in Cloudflare DNS
Estimated RTO: 2–6 hours
Scenario 4 — Zoho or Xero Outage / Data Loss
Trigger: Vendor outage, account suspension, or data corruption within Zoho or Xero.
Zoho outage:
- Check Zoho status page for estimated resolution
- Operations revert to manual order processing using the most recent data export
- All connected hub integrations (Compliance, E-commerce, Recon) will be degraded — notify affected teams
- On restoration, verify inventory levels and reconcile any orders processed manually during the outage
Xero outage:
- Check Xero status page for estimated resolution
- Invoicing reverts to manual processes; reconciliation via Recon Hub is suspended
- On restoration, verify transaction data against the most recent export and re-run any affected reconciliations
Account suspension (either system):
- Resolve billing or compliance issue with vendor immediately
- Data remains accessible during a grace period (typically 30–60 days) — export all data immediately if suspension is unresolvable
- If migrating to a new provider, contact Lauren (lauren@exgpro.com) to re-map all API integrations
Estimated RTO: Dependent on vendor SLA (typically hours for outage; days for account issues)
Scenario 5 — Personal Data Breach
Trigger: Unauthorised access to, loss of, or destruction of personal data held by EXG — including employee records, customer order data, or financial records containing personal identifiers.
UK GDPR Article 33 requires notification to the ICO within 72 hours of becoming aware of a breach (unless the breach is unlikely to result in risk to individuals' rights and freedoms). This clock starts when EXG becomes aware — not when the breach occurred.
Immediate response (within 1 hour):
- Contain the breach — revoke access, isolate affected systems, change compromised credentials
- Notify the Digital & Technology Director (Lauren Bath) immediately
- Log the time EXG became aware — this starts the 72-hour notification window
Assessment (within 6 hours): 4. Identify what personal data was affected, how many individuals, and the likely risk to those individuals 5. Determine whether the breach is notifiable to the ICO (any doubt — notify) 6. If high risk to individuals: prepare to notify affected data subjects directly
ICO notification (within 72 hours if notifiable): 7. Submit breach report via the ICO online portal: ico.org.uk/report-a-breach 8. Include: nature of breach, categories and approximate number of individuals affected, likely consequences, measures taken or proposed 9. If full details are not available within 72 hours, submit an initial notification and follow up — partial notification on time is acceptable
Data subject notification (if high risk): 10. Notify affected individuals without undue delay — describe the breach, likely consequences, and steps they should take to protect themselves 11. Contact details: lauren@exgpro.com for coordination
Post-breach: 12. Document the breach, assessment, and actions taken — retain records regardless of whether ICO notification was required (UK GDPR Article 33(5)) 13. Conduct a post-incident review within 5 business days to identify root cause and prevent recurrence
Key contact: ICO helpline — 0303 123 1113
Document Storage & Sensitive Files
Sensitive business documents — including contracts, legal agreements, HR records, and financial exports — are stored in Microsoft SharePoint, managed under the EXG Microsoft 365 tenancy. The full Microsoft 365 suite (Exchange, SharePoint, OneDrive, Teams, Azure AD) is managed by Xenace Ltd (0333 444 4402).
| Document Type | Storage Location | Access |
|---|---|---|
| Contracts & legal agreements | SharePoint — Legal folder | Management only |
| HR records & employment documents | SharePoint — HR folder | HR & Management only |
| Financial exports (Xero, Zoho) | SharePoint — Finance Backups folder | Finance & Management |
| Board materials | SharePoint — Board folder | Board & Management only |
| Brand assets | DASH (digital asset management) | All staff |
| Technical credentials | Shared secrets manager (1Password / Bitwarden) | Authorised personnel only |
Access control: SharePoint permissions are managed via Microsoft Azure AD groups, aligned with the same roles used across EXG systems (staff / manager / board). Access is reviewed when staff join or leave.
Why SharePoint:
- Access is controlled by the same Microsoft accounts used for EXG SSO (Azure AD)
- Built-in versioning and audit trail for all documents
- Available under the existing Microsoft 365 plan — no additional cost
- Data residency within the EU region
Data Security & Access Control
All EXG data — including backups, exports, and live system data — is stored on secure, managed infrastructure with access restricted to authorised personnel only.
| Data Location | Infrastructure | Access Control |
|---|---|---|
| PostgreSQL databases | Managed provider (Railway / Supabase / Render) — encrypted at rest and in transit | Authorised engineering team only, via provider dashboard and DATABASE_URL secret |
| Document exports & HR records | Microsoft SharePoint (EU region) | Azure AD group permissions — staff / manager / board roles |
| Financial exports (Zoho, Xero) | SharePoint — Finance Backups folder | Finance and management only |
| API credentials & secrets | Shared secrets manager (1Password / Bitwarden) | Authorised personnel only — access reviewed on staff change |
| Source code | Private Git repository | Engineering team only |
| Netlify / Vercel build artefacts | Netlify / Vercel platform — access via SSO | Lauren (Digital & Technology Director) — platform owner |
Access rights are reviewed whenever a team member joins, changes role, or leaves EXG. No backup or system data is stored on personal devices or unmanaged cloud storage.
Integration Architecture & Data Access
EXG systems do not grant any middleware, third-party tool, or external service direct access to EXG databases or file storage.
All data integrations operate on the following principles:
- OAuth 2.0 only — all system-to-system data flows (Zoho, Xero, Shopify) use OAuth 2.0 authenticated API calls. No service has direct database access.
- API keys are scoped — where OAuth is not available, API keys are issued with the minimum required scope and stored securely as environment variables. They are never embedded in source code or shared outside the secrets manager.
- No direct DB exposure — EXG databases (PostgreSQL) are not publicly accessible. Connection strings are stored as environment variables on the hosting platform and are never exposed to client-side code or third-party middleware.
- No passive data access — no middleware, connector, or third-party tool passively reads EXG data. Data is only retrieved when an authenticated API call is actively made by an authorised EXG system.
- Token rotation — OAuth tokens (e.g. Xero, Shopify) are rotated on expiry and stored in the secrets manager. Revoked tokens immediately terminate any associated data access.
If a new integration requires data access, it must be reviewed and approved by the Digital & Technology Director (lauren@exgpro.com) before credentials are issued.
Credentials & Secrets Management
- All API keys, OAuth credentials, and database URLs are stored as environment variables — never hardcoded in source code
- Credentials are documented in the shared secrets manager (1Password / Bitwarden)
- Access to credentials is restricted to authorised personnel only
- OAuth tokens (e.g. Xero) are rotated on expiry and stored securely
Responsibilities
| Role | Responsibility |
|---|---|
| Engineering lead | Maintain backup configuration, test recovery procedures annually |
| Operations | Ensure third-party system credentials are current and documented |
| Management | Review and approve this policy annually |
DRP Activation Checklist
Use this checklist when a disaster has been declared.
| # | Action | Owner |
|---|---|---|
| 1 | Receive and log notification of emergency event | ERT Lead / Xenace |
| 2 | Assemble Emergency Response Team | ERT Lead |
| 3 | Conduct damage assessment — systems, people, estimated duration | ERT + Xenace |
| 4 | Assign scenario (1, 2, or 3) and make disaster declaration decision | ERT Lead |
| 5 | If declaring: notify all department leads and Xenace | ERT Lead |
| 6 | Activate recovery procedures per scenario | Recovery Team + Xenace |
| 7 | Issue first staff update via Teams / email | ERT Lead |
| 8 | Monitor recovery progress; issue regular updates | Recovery Team |
| 9 | Once primary systems restored, issue all-clear and return-to-normal instructions | ERT Lead |
| 10 | Formally deactivate DRP; conduct post-incident review within 5 business days | ERT Lead |
Plan Testing & Maintenance
This DRP is reviewed and tested on an annual basis:
- Document review: Update to reflect organisational, infrastructure, or service changes — coordinated by Xenace
- Continuity test: Annual test of recovery procedures to identify gaps — scope agreed with ERT Lead before execution; test report generated
- Update responsibility: Xenace coordinates the review cycle; department owners maintain their sections
| Activity | Frequency | Next Due |
|---|---|---|
| Document review | Annual | April 2027 |
| Continuity test | Annual | April 2027 |
Review Schedule
This policy is reviewed annually or following any significant infrastructure change.
Next review due: March 2027
