| Customer-facing SaaS — AWS-hosted services (production app + API on AWS) | Tier 1 | 4 hours | 15 minutes | Multi-AZ failover; restore from continuous backups in alternate AWS region within 4h. | CTO |
| Customer-facing SaaS — Vultr-hosted services (production compute on Vultr) | Tier 1 | 4 hours | 15 minutes | Failover to alternate Vultr region; cross-cloud failover to AWS for the same workload where the architecture supports it. | CTO |
| Production database (AWS — Aurora / RDS Postgres) | Tier 1 | 4 hours | 15 minutes | Point-in-time restore from automated AWS RDS backups; cross-region replica failover. | CTO |
| Production database (Vultr — Postgres) | Tier 1 | 4 hours | 15 minutes | Point-in-time restore from Postgres WAL archives; failover to a Postgres replica in an alternate Vultr region; logical-replication standby on AWS RDS available as cross-cloud DR. | CTO |
| Object storage — customer data on AWS S3 | Tier 1 | 4 hours | 1 hour | Cross-region replication with versioning; restore from replica. | CTO |
| Object storage — customer data on Vultr Object Storage | Tier 1 | 4 hours | 1 hour | Vultr Object Storage versioning; secondary copy replicated to AWS S3 (cross-cloud) where contractually required. | CTO |
| Authentication (Rippling SSO + AWS IAM Identity Center) | Tier 1 | 8 hours | 1 hour | Vendor-side failover (Rippling). Local break-glass IAM admin role for AWS, and break-glass root account for Vultr (held by CTO + CISO) for use during SSO outage. | CISO |
| Secrets management (HashiCorp Vault — self-hosted on Vultr) | Tier 1 | 4 hours | 15 minutes | Multi-region Vault HA cluster on Vultr (Raft-based replication across distinct Vultr regions); periodic encrypted Vault snapshots replicated to AWS S3 (Object Lock) so Vault state can be restored on alternate Vultr regions or stood up on AWS Cloud Compute as last-resort cross-cloud DR. Break-glass root token sealed in CISO + CTO Dashlane vaults. | CISO + CTO |
| Logging & monitoring (Better Stack) | Tier 2 | 24 hours | 1 hour | Vendor-side. Local CloudWatch fallback for production-critical alerts. | CISO |
| Source control / CI (GitHub, GitHub Actions) | Tier 2 | 24 hours | 24 hours | Vendor-side. Mirrors of master are pushed to S3 nightly for code recovery. | CTO |
| Email / collaboration (Microsoft 365) | Tier 2 | 24 hours | 24 hours | Vendor-side. Out-of-band channels (cell, alternate email) per Key Contacts. | CISO |
| Issue tracker (Linear) | Tier 2 | 48 hours | 24 hours | Vendor-side. Active incidents tracked out-of-band in #security-incidents Slack during outage. | CTO |
| Password manager (Dashlane) | Tier 2 | 8 hours | 24 hours | Vendor-side. Break-glass credentials sealed in CISO + CTO vaults. | CISO |
| Helpdesk / support tooling | Tier 3 | 5 business days | 24 hours | Manual queue from helpdesk@ until restored. | CISO |
| Marketing site / public docs | Tier 3 | 5 business days | 24 hours | Vendor-side (Mintlify); rebuild from neuroscale/compliance-docs. | CTO |
