Book Demo
💾 Backup & Retention Policy

Backup & Data Retention Policy

Formal policy governing Propeter's data backup schedules, recovery objectives, residency requirements, retention rules, and client data export procedures.

Document Version
v2.1
Effective Date
1 March 2026
Policy Owner
CISO, Propeter
Review Cycle
Annual
Section 01

Scope

Covered by This Policy

  • All production PostgreSQL RDS database instances (primary and read replicas) across all AWS regions
  • All Redis ElastiCache clusters used in production environments
  • All S3 buckets containing client-generated data, uploaded files, and system-generated reports
  • AWS Parameter Store values and Secrets Manager secrets used in production
  • CloudWatch Log Groups for audit trails, application logs, and security events
  • Infrastructure-as-code state files (Terraform state in S3)
  • Container image registry (ECR) for all active production images

Excluded from This Policy

  • Development and staging environment data (subject to a separate, lower-grade backup schedule)
  • Ephemeral cache data that is regenerated on demand (e.g., computed rate suggestions held in memory)
  • Local developer workstation data
  • Third-party sub-processor data held within their own systems (e.g., Twilio call logs within Twilio's infrastructure)
  • Publicly available data cached by the Market Intelligence Agent (sourced from public OTA listings)

Policy Authority: This policy is owned by the CISO and approved by the Propeter Board. Any exceptions must be documented, risk-assessed, and approved by the CISO in writing. No informal exceptions are permitted.

Section 02

Backup Schedule

The following table defines the backup methodology, frequency, retention period, and replication configuration for each data system:

System Method Frequency Retention DR Replication Encryption
PostgreSQL RDS (Primary) Continuous WAL streaming + automated snapshots WAL: continuous; Snapshots: hourly 30 days (snapshots); 7 days (WAL for PITR) India: Mumbai → Singapore
EU: Dublin → Frankfurt
AU: Sydney → Singapore		 AES-256, CMK per region
PostgreSQL RDS (Read Replica) Streaming replication from primary; snapshots Continuous replication; daily snapshot 7 days (replica snapshots) In-region only; DR covered by primary replication AES-256, same CMK as primary
Redis ElastiCache RDB snapshot (point-in-time dump) Hourly 7 days No cross-region (cache is re-buildable from DB) AES-256 at rest
S3 Object Storage Versioning enabled; S3 CRR (Cross-Region Replication) Versioning: on every write; CRR: near-real-time (<15 min) 90-day version retention; Glacier after 180 days Same as RDS region mapping above SSE-KMS, CMK per region
AWS Secrets Manager Automatic versioning on every rotation/update Version retained on every change Indefinite (all versions retained) Manual replication to DR region Secrets Manager KMS-encrypted
AWS Parameter Store Versioning enabled (all value history retained) Version retained on every change Indefinite Replicated via Terraform to DR region SecureString with KMS
CloudWatch Logs (Audit) Log stream → S3 export (automated daily) Daily export to S3; active in CloudWatch for 90 days CloudWatch: 90 days; S3 Standard: 365 days; S3 Glacier: +6 years S3 CRR applies to log archive bucket S3 SSE-KMS
Terraform State S3 versioning + DynamoDB lock table Version on every apply All versions retained; 30-day S3 lifecycle to Glacier IA S3 CRR to DR region SSE-KMS

Point-in-Time Recovery (PITR): PostgreSQL RDS supports PITR to any second within the backup retention window. In a data corruption event, Propeter can restore to within seconds of the incident rather than the nearest hourly snapshot. This is Propeter's primary recovery mechanism for database incidents.

Section 03

Recovery Objectives

Propeter defines recovery objectives at two levels: platform-wide commitments, and per-service-tier commitments for the most critical components.

Platform-Wide Commitments

  • RPO (Recovery Point Objective) — 1 Hour: In the worst-case disaster scenario, Propeter commits to maximum data loss of 1 hour. In practice, WAL streaming means data loss is typically measured in seconds to minutes.
  • RTO (Recovery Time Objective) — 4 Hours: Propeter commits to restoring full platform service within 4 hours of a declared disaster. This includes DR failover, health verification, and client communication.
Tier 1 — Mission Critical

Revenue Engine & Rate API

RPO15 min
RTO1 hour
Includes: AI rate recommendation engine, rate push to OTA/channel manager, PMS sync service, booking ingestion webhook processor
Tier 2 — High Priority

Dashboard & Reporting

RPO1 hour
RTO4 hours
Includes: Web application (React dashboard), user authentication, property configuration, real-time occupancy display, revenue reports
Tier 3 — Standard Priority

Analytics & Historical Data

RPO24 hours
RTO24 hours
Includes: historical booking analytics, long-term forecast trend data, marketing analytics integration, Xero accounting sync

Why differentiated tiers? Revenue Engine downtime has an immediate, measurable financial impact on hotel clients (rates freeze at last pushed value, OTA availability may show incorrectly). Dashboard downtime, while disruptive, does not affect live rate distribution. This tiering ensures engineering effort in a crisis is applied where it matters most.

Section 04

Backup Verification

A backup that has never been tested is not a backup — it is a hope. Propeter runs a structured backup verification programme to ensure every backup can actually be restored.

Weekly Automated Restore Test

  • Runs every Sunday 2:00–4:00 AM IST (within maintenance window)
  • Randomly selects one RDS snapshot and one S3 backup set from the prior 7 days
  • Restores into an isolated, non-production VPC (no production data interaction)
  • Automated data integrity check: row count validation + checksum comparison
  • Results logged to CloudWatch; any failure triggers PagerDuty alert to CISO within 15 minutes
  • Test environment destroyed after verification (no persistent cost)

Quarterly Full Restore Drill

  • Conducted within the first 14 days of each quarter
  • Full restore of all Tier 1 services from DR region backups
  • Simulates complete primary region loss: restores database, application, and configuration
  • Measures actual RTO achieved and compares against committed RTO
  • Results reviewed in CISO-led meeting with Infrastructure and Engineering leads
  • Findings documented; any gap versus committed RTO triggers remediation plan

Failure Response Protocol

  • Any automated test failure: immediate investigation by on-call Infrastructure Engineer
  • Backup failure must be resolved within 24 hours (classified as P2 incident)
  • If root cause cannot be resolved within 24 hours: CISO notified, risk assessment conducted, clients notified if backup gap exceeds 48 hours
  • Recurring failures (2+ in 30 days): mandatory architecture review by CTO and CISO

Verification Records

  • All test results stored in a dedicated audit log (immutable, 3-year retention)
  • Monthly summary report generated and reviewed by CISO
  • Annual summary included in ISO 27001 ISMS review
  • Enterprise clients may request verification records as part of vendor due diligence (under NDA)
Section 05

Data Residency

Propeter enforces strict data residency — client data is processed and stored in the geographic region assigned to the client's account, and DR replication stays within acceptable regional boundaries for each jurisdiction.

🇮🇳 India Clients

Primary ap-south-1 (Mumbai)
DR Region → ap-southeast-1 (Singapore)

DPDP Act 2023 compliance: all personal data of Indian data principals remains within India or notified countries. Singapore is a notified cross-border transfer destination. Backup replication uses encrypted channels and KMS CMK scoped to both regions.

🇪🇺 EU / UK Clients

Primary eu-west-1 (Dublin, Ireland)
DR Region → eu-central-1 (Frankfurt, Germany)

GDPR compliance: all EU/UK personal data remains within the EEA. Dublin (Ireland) and Frankfurt (Germany) are both EEA member state regions. No cross-EEA data transfer for EU client data. UK data: Dublin qualifies under UK adequacy decision for Ireland.

🇦🇺 Australia Clients

Primary ap-southeast-2 (Sydney)
DR Region → ap-southeast-1 (Singapore)

Australian Privacy Act (APPs) compliance: cross-border disclosure to Singapore is covered by Standard Contractual Clauses aligned with APP 8. Propeter takes responsibility for Singapore sub-processor compliance per APP 8.1.

🇺🇸 USA Clients

Primary us-east-1 (N. Virginia)
DR Region → us-west-2 (Oregon)

All US client data remains within the continental United States. Both regions are within the US jurisdiction. CCPA/CPRA compliance governed by privacy policy and DPA. No US client data is replicated to non-US regions.

Section 06

Backup Access Controls

Access to production backups is one of the most sensitive privileges in Propeter's access control model. The following controls apply:

Role View Backup List Initiate Restore Access Restored Data Delete Backup
CISO ✓ ✓ (JIT) ✓ (JIT + dual auth) ✓ (dual auth required)
Infrastructure Lead ✓ ✓ (JIT) ✓ (JIT + CISO approval) ✗
Infrastructure Engineer ✓ ✗ (approval required) ✗ ✗
Application Developer ✗ ✗ ✗ ✗
Customer Success Team ✗ ✗ ✗ ✗
Hotel Client (Admin) ✗ ✗ ✗ (self-service export only) ✗
  • MFA required: All backup access requires MFA-authenticated session (TOTP or FIDO2)
  • All access logged: Every backup access event is logged to immutable CloudTrail with: requester identity, justification note, timestamp, source IP, and outcome
  • Justification mandatory: Backup access requests must include a written justification (linked to incident ticket or scheduled maintenance window)
  • Time-limited access: JIT sessions for backup access expire after 2 hours; extension requires re-approval
  • No developer access: Application developers have zero access to any production backup data. Development uses synthetic or anonymised datasets only.
Section 07

Retention and Deletion

Standard Retention Periods

  • Database snapshots: 30 days from creation
  • S3 object versions: 90 days (then Glacier Instant Retrieval)
  • Audit logs (CloudWatch): 90 days active, then S3 for 365 days, then Glacier for 6 years
  • Redis snapshots: 7 days
  • Security incident forensic data: 7 years minimum
  • Payment-related records: 7 years (financial services regulatory requirement)

Legal Hold

  • Legal hold overrides standard retention and prevents deletion of specified data sets
  • Legal hold is applied by CISO on instruction from Propeter's legal counsel
  • S3 Object Lock (WORM) used for immutable legal hold — cannot be overridden even by Propeter employees
  • Legal hold duration: per legal instruction; no automatic expiry
  • Clients are notified if their data is subject to a legal hold that prevents deletion upon contract end

Post-Contract Deletion

  • Upon contract termination: client data purged from live systems within 30 days
  • Backup data purged within 90 days of contract end (aligns with backup retention window)
  • After 90 days: no Propeter system retains client data, except items under legal hold or required by law (e.g., financial records)
  • Deletion is cryptographic: KMS CMK for the client is deleted, rendering all encrypted data permanently unreadable

Deletion Certificate

  • Available on request for Enterprise clients
  • Issued within 30 days of confirmed data deletion
  • Signed by CISO and Infrastructure Lead
  • Covers: confirmation of scope deleted, deletion method, date completed, and any exceptions (e.g., items under legal hold)
  • Provided in PDF format with Propeter letterhead and signatory details

Irreversibility: Once the 90-day post-contract deletion window has passed and KMS CMK deletion is confirmed, client data cannot be recovered by Propeter. Clients are strongly advised to export all required data before contract termination using the self-service export feature.

Section 08

Client Data Export

Propeter believes clients own their data. The following export mechanisms are available:

Self-Service Export (All Plans)

  • Available from the Propeter dashboard → Settings → Data Export
  • Export formats: CSV, JSON, Excel (.xlsx)
  • Data sets available for export: booking history, rate change history, forecast data, revenue reports, property configuration
  • Export range: configurable (last 30 days, last 12 months, all time)
  • Post-cancellation: self-service export window remains open for 30 days after contract end
  • Large exports: prepared asynchronously and delivered via secure download link (24-hour expiry)

Assisted Export (Enterprise Plan)

  • Full database extract in structured format (PostgreSQL dump or Parquet)
  • Includes all historical data, AI model outputs, and audit trails
  • Delivered via secure S3 presigned URL (72-hour expiry) or SFTP
  • SLA: 5 business days from confirmed request
  • Encryption: client-provided PGP public key used to encrypt export package
  • Available at any time during contract, and for 60 days post-contract termination

Data Portability Commitment: Propeter will never hold client data hostage. If a client switches to a competing system, Propeter will provide a full data export in a machine-readable format within 5 business days of request, at no additional cost, regardless of plan.

Enhance customer engagement with our intelligent chatbot solutions. Seamlessly automate conversations and elevate user experiences with cutting-edge AI technology.

Facebook Twitter Youtube
Products
Resources
Company

Copyright © 2026 propeter | Powered by Propeter