Purpose and Scope
The purpose of this policy is to define procedures to recover Information Technology (IT) infrastructure and IT services within set deadlines in the case of a disaster or other disruptive incidents that protect Service Provider's ("Shuffl") information systems, networks, data, databases and other information assets.
The objective of this plan is to complete the recovery of IT infrastructure and IT services within a set Recovery Time Objective (RTO). Additional policies/guidelines governing specific Disaster Recovery activities can be created and invoked separately.
This policy includes all resources and processes necessary for service and data recovery, and covers all information security aspects of business continuity management.
This policy applies to all management, employees, third-parties, and suppliers that are involved in the recovery of IT infrastructure and services within Shuffl. This policy must be made readily available to all whom it applies to.
Background
This policy defines the overall disaster recovery strategy for Shuffl. The strategy describes the organization’s Recovery Time Objective (RTO), which is defined as the duration of time and service level for critical business processes to be restored after a disaster or other disruptive event, as well as the procedures, responsibility and technical guidance required to meet the RTO. This policy also lists the contact information for personnel and service providers that may be needed during a disaster recovery event.
The following conditions must be met for this plan to be viable:
All equipment, software and data (or their backups/failovers) are available in some manner.
The Managing Partner or Chief Technology Officer is responsible for coordinating and conducting a bi-annual (at least) rehearsal of this continuity plan to incorporate change in Shuffl's situation, if any.
This plan does not cover the following types of incidents:
Incidents that affect customers or partners but have no effect on the organization’s systems; in this case, the customer must employ their own continuity processes to make sure that they can continue to interact with the organization and its systems.
Incidents that affect cloud infrastructure suppliers at the core infrastructure level, including but not limited to Slack, Stripe, and Amazon Web Services. The organization depends on such suppliers to employ their own continuity processes.
Policy
Critical Services, Key Tasks and, Service Level Agreements (SLAs)
For all SLAs described in this Policy, these supersede and apply directly for Shuffl Pro and Shuffl Enterprise customers beyond our Terms.
The following services and technologies are considered to be critical for business operations, and must immediately be restored (in priority order):
Amazon Web Services
Slack APIs.
Shuffl Program Portal (web application)
Service Provider Requirements
Service Provider responsibilities and/or requirements in support of this Agreement include: Meeting response times associated with service-related incidents.
Recovery Time Objective (RTO) < 60 min
The duration of time and a service level within which a business process must be restored after a disaster in order to avoid unacceptable consequences associated with a break in continuity.
Recovery Point Objective (RPO) < 45 min
The interval of time that might pass during a disruption before the quantity of data lost during that period exceeds the Business Continuity Plan’s maximum allowable threshold or “tolerance.”
Appropriate notification to Customer for all scheduled maintenance.
Service Assumptions Assumptions related to in-scope services and/or components include: Changes to services will be communicated and documented to all stakeholders.
Live tracking of service-related incidents is available at https://shuffl.statuspage.io.
Service Management
Effective support of in-scope services is a result of maintaining consistent service levels. The following sections provide relevant details on service availability, monitoring of in-scope services and related components.
Service Availability
Coverage parameters specific to the service(s) covered in this Agreement for our paying customers are as follows:
Live support : 7:00 A.M. to 5:00 P.M. PST Monday – Friday
Email support: 7:00 A.M. to 5:00 P.M. PST Monday – Friday
Emails received outside of office hours will be collected, however, no action can be guaranteed until the next business day.
Service Requests
In support of services outlined in this Agreement, the Service Provider will respond to service-related incidents and/or requests submitted by the Customer within the following time frames:
0-8 hours (during business hours) for issues classified as High priority.
Within 24-36 hours for issues classified as Medium priority.
Within 5 business days for issues classified as Low priority.
Remote assistance will be provided in-line with the above timescales dependent on the priority of the support request.
Notification of Plan Initiation
The following personnel must be notified when this plan is initiated:
Matthew Lee, Managing Partner for Business Operations
Chris Watts, Managing Partner for Technical Operations is responsible for leading the initiation and notifying the personnel listed above.
Plan Deactivation
This plan must only be deactivated by the Managing Partner or Chief Technology Officer
In order for this plan to be deactivated, all critical service and technology tasks as detailed above must be fully completed and/or restored.
If Shuffl is still operating in an impaired scenario, the plan may still be kept active at the discretion of either Managing Partner.
The following personnel must be notified when this plan is deactivated: Managing Partner for Business Operations
Shuffl must endeavor to restore its normal level of business operations as soon as possible.
Standard Controls Satisfied
TSC A1.2, A1.3