ISMS Compliance
CyFun BasicProtect

PR.IP-4: Backup management

Backups of information are conducted, maintained, and tested

PROTECTPR.IP-4Key Measure

Requirement

Backups for organisation's business-critical data shall be conducted and stored on a system different from the device on which the original data resides.

Our Implementation

Backups for business-critical data are managed through cloud provider capabilities:

  • Supabase (Critical): Automated daily backups with point-in-time recovery (PITR), hosted on AWS eu-central-1. Backups are stored on separate infrastructure from the primary database
  • GitHub (Critical): Source code is version-controlled with full history. Repository data is backed up by GitHub's infrastructure with geo-redundant storage
  • Vercel, Modal, Trigger.dev (High): Deployment history and configuration maintained by providers, enabling rollback to previous versions

All backup storage is on systems separate from the original data source, meeting the requirement for off-device backup storage.

Gaps / Planned improvements:

  • No documented backup strategy for Medium-criticality providers — Turso, Qdrant, Upstash (NEX-353)
  • No regular backup restoration testing performed (NEX-369, NEX-387)
  • Backup retention periods not formally defined (NEX-369)

Evidence

ImplementedL2 — Repeatable

PR.DS-7: Dev/test separation

The development and testing environment(s) are separate from the production environment

PR.IP-11: HR cybersecurity practices

Cybersecurity is included in human resources practices

On this page

RequirementOur ImplementationEvidence