Register Owner: CTO and CISO
Effective Date: May 8, 2026
Reviewed: Annually with the BC/DR test cycle
Next Review: May 8, 2027
Effective Date: May 8, 2026
Reviewed: Annually with the BC/DR test cycle
Next Review: May 8, 2027
SOC 2 scope. These RTO/RPO targets support the Availability (A1) criterion, which is deferred to the first subsequent SOC 2 Type II window (opening 2026-09-22) per the System Description §3; the initial window attests Security only. The targets are operational commitments today regardless of attestation timing.
Definitions
- Recovery Time Objective (RTO) — maximum acceptable time between the disruption and full restoration of service.
- Recovery Point Objective (RPO) — maximum acceptable data loss measured in time (e.g., last hour of writes).
Matrix
| System | Tier | RTO | RPO | Recovery procedure | Owner |
|---|---|---|---|---|---|
| Customer-facing SaaS — AWS-hosted services (production app + API on AWS) | Tier 1 | 4 hours | 15 minutes | Multi-AZ failover; restore from continuous backups in alternate AWS region within 4h. | CTO |
| Customer-facing SaaS — Vultr-hosted services (production compute on Vultr) | Tier 1 | 4 hours | 15 minutes | Failover to alternate Vultr region; cross-cloud failover to AWS for the same workload where the architecture supports it. | CTO |
| Production database (AWS — Aurora / RDS Postgres) | Tier 1 | 4 hours | 15 minutes | Point-in-time restore from automated AWS RDS backups; cross-region replica failover. | CTO |
| Production database (Vultr — Postgres) | Tier 1 | 4 hours | 15 minutes | Point-in-time restore from Postgres WAL archives; failover to a Postgres replica in an alternate Vultr region; logical-replication standby on AWS RDS available as cross-cloud DR. | CTO |
| Object storage — customer data on AWS S3 | Tier 1 | 4 hours | 1 hour | Cross-region replication with versioning; restore from replica. | CTO |
| Object storage — customer data on Vultr Object Storage | Tier 1 | 4 hours | 1 hour | Vultr Object Storage versioning; secondary copy replicated to AWS S3 (cross-cloud) where contractually required. | CTO |
| Authentication (Rippling SSO + AWS IAM Identity Center) | Tier 1 | 8 hours | 1 hour | Vendor-side failover (Rippling). Local break-glass IAM admin role for AWS, and break-glass root account for Vultr (held by CTO + CISO) for use during SSO outage. | CISO |
| Secrets management (HashiCorp Vault — self-hosted on Vultr) | Tier 1 | 4 hours | 15 minutes | Multi-region Vault HA cluster on Vultr (Raft-based replication across distinct Vultr regions); periodic encrypted Vault snapshots replicated to AWS S3 (Object Lock) so Vault state can be restored on alternate Vultr regions or stood up on AWS Cloud Compute as last-resort cross-cloud DR. Break-glass root token sealed in CISO + CTO Dashlane vaults. | CISO + CTO |
| Logging & monitoring (Better Stack) | Tier 2 | 24 hours | 1 hour | Vendor-side. Local CloudWatch fallback for production-critical alerts. | CISO |
| Source control / CI (GitHub, GitHub Actions) | Tier 2 | 24 hours | 24 hours | Vendor-side. Mirrors of master are pushed to S3 nightly for code recovery. | CTO |
| Email / collaboration (Microsoft 365) | Tier 2 | 24 hours | 24 hours | Vendor-side. Out-of-band channels (cell, alternate email) per Key Contacts. | CISO |
| Issue tracker (Linear) | Tier 2 | 48 hours | 24 hours | Vendor-side. Active incidents tracked out-of-band in #security-incidents Slack during outage. | CTO |
| Password manager (Dashlane) | Tier 2 | 8 hours | 24 hours | Vendor-side. Break-glass credentials sealed in CISO + CTO vaults. | CISO |
| Helpdesk / support tooling | Tier 3 | 5 business days | 24 hours | Manual queue from helpdesk@ until restored. | CISO |
| Marketing site / public docs | Tier 3 | 5 business days | 24 hours | Vendor-side (Mintlify); rebuild from neuroscale/compliance-docs. | CTO |
Tiering rationale
| Tier | Definition | Examples |
|---|---|---|
| Tier 1 | Loss of service directly impacts customers’ ability to use Neuroscale products or breaches a contractual SLA. | Production app, production DB, customer object storage. |
| Tier 2 | Loss of service blocks Neuroscale’s internal ability to operate, secure, or support production. | SSO, logging, source control, collaboration. |
| Tier 3 | Loss of service is inconvenient but not customer-impacting and not security-critical short-term. | Marketing site, internal helpdesk tooling. |
Test cadence
- Annual end-to-end DR test including Tier 1 backup-restore — see Compliance Calendar.
- Quarterly spot-check of one Tier-2 recovery path.
- Per incident that exercises any recovery procedure — results recorded in the IR ticket and used to refine this matrix.
Cross-references
Version history
| Version | Date | Description | Author | Approved by |
|---|---|---|---|---|
| 1.0 | May 8, 2026 | Initial version | Cameron Wolfe | Ishan Jadhwani |