Security Q and A

Business Continuity & Disaster Recovery Plan (BCP / DRP)

1. Purpose & Objectives

This plan ensures that critical Shopspray services remain available or are rapidly restored following disruptive incidents.

Objectives:

Protect customer operations (Punchout & B2B commerce workflows)

Minimize downtime and data loss

Maintain trust with enterprise customers

Enable fast, controlled recovery from incidents

2. Scope

This plan covers:

Production Shopspray Punchout platform

Customer integrations with Punchout Core and/or Punchout Pilot product variants

Infrastructure & cloud services

Internal operations & key personnel

Third-party dependencies

Out of scope:

Customer-owned infrastructure beyond defined integration points

3. Business Impact Analysis (BIA)

3.1 Critical Business Functions

Function	Description	RTO	RPO
Punchout Transactions	Buyer-to-supplier procurement flows	≤ 4 hours	≤ 15 min
API & Integration Layer	ERP / eCommerce synchronization	≤ 4 hours	≤ 15 min
Admin & Monitoring Tools	Support & incident handling	≤ 8 hours	≤ 1 hour
Customer Support	Incident communication & resolution	≤ 2 hours	N/A

Definitions:

RTO (Recovery Time Objective): Max acceptable downtime

RPO (Recovery Point Objective): Max acceptable data loss

4. Risk Assessment

4.1 Identified Risks

Risk	Likelihood	Impact	Mitigation
Cloud outage (region-level)	Medium	High	Multi-AZ, backups
Cyberattack (DDoS, breach)	Medium	High	WAF, IAM, monitoring
Data corruption	Low	High	Automated backups
Third-party API failure	Medium	Medium	Retry logic, queuing
Key personnel unavailability	Low	Medium	Documentation, redundancy

5. Business Continuity Plan (BCP)

5.1 Incident Response Structure

Incident Manager:

Owns incident coordination

Authorizes escalation and communication

Technical Lead:

Diagnoses root cause

Executes recovery steps

Customer Communication Lead:

Updates customers

Manages status page & direct outreach

5.2 Incident Classification

Severity	Description	Example
SEV-1	Full service outage	Punchout unavailable
SEV-2	Partial degradation	Slow API responses
SEV-3	Minor impact	Admin UI issue

5.3 Communication Plan

Internal:

Slack / Teams incident channel

Incident timeline & decisions logged

External:

Status page updates

Direct notification to affected customers

Post-incident report within 5 business days (SEV-1)

5.4 Workforce Continuity

Remote-first capability

Access via secured VPN / SSO

Documented runbooks for all critical systems

Minimum two trained owners per core system

6. Disaster Recovery Plan (DRP)

6.1 Architecture Principles

Cloud-based infrastructure

High availability across multiple availability zones

Stateless application services

Encrypted data storage

Infrastructure-as-Code (IaC)

6.2 Backup Strategy

Asset	Frequency	Retention	Storage
Databases	Continuous + daily snapshots	30–90 days	Separate region
Configuration & Secrets	On change	90 days	Encrypted vault
Logs	Real-time	30 days	Centralized logging

Backups are:

Automated

Encrypted at rest and in transit

Regularly tested

6.3 Disaster Scenarios & Recovery

Scenario 1: Primary Cloud Region Failure

Failover to secondary region

Restore latest validated backups

DNS switch

Expected recovery: ≤ 4 hours

Scenario 2: Data Corruption or Deletion

Identify last known good snapshot

Restore affected services

Validate data integrity

Expected recovery: ≤ 2 hours

Scenario 3: Security Breach

Isolate affected systems

Rotate credentials & keys

Restore clean environment

Notify customers if required (GDPR)

6.4 Recovery Validation

Automated smoke tests

API health checks

Key customer integration verification

Sign-off by Incident Manager

7. Third-Party & Vendor Management

Shopspray relies on:

Cloud infrastructure providers

Monitoring & logging services

Authentication & identity providers

Controls:

Vendor SLAs reviewed annually

Security & compliance alignment

Exit strategies documented for critical vendors

8. Compliance & Data Protection

GDPR-compliant data handling

Least-privilege access control

Audit logs retained

Incident notification procedures in place

9. Testing & Maintenance

Annual DR simulation

Tabletop incident exercises

Post-incident reviews after all SEV-1 events

Plan updated after:

Major architectural changes

New critical customers

Regulatory changes

10. Version & Ownership

Version: 1.3. Owner: Shopspray CEO / CTO. Last Review: December, 2025. Next Review: December, 2026

Cookie	Duur	Beschrijving
cookielawinfo-checkbox-analytics	11 maanden	Deze cookie wordt ingesteld door de GDPR Cookie Consent plugin. De cookie wordt gebruikt om de toestemming van de gebruiker voor de cookies in de categorie "Analytics" op te slaan.
cookielawinfo-checkbox-functioneel	11 maanden	De cookie wordt ingesteld door GDPR cookie consent om de toestemming van de gebruiker voor de cookies in de categorie "Functioneel" vast te leggen.
cookielawinfo-checkbox-nodig	11 maanden	Deze cookie wordt ingesteld door GDPR Cookie Consent plugin. De cookie wordt gebruikt om de toestemming van de gebruiker voor de cookies in de categorie "Noodzakelijk" op te slaan.
cookielawinfo-checkbox-andere	11 maanden	Deze cookie wordt ingesteld door GDPR Cookie Consent plugin. De cookie wordt gebruikt om de toestemming van de gebruiker voor de cookies in de categorie "Overig" op te slaan.
cookielawinfo-checkbox-prestatie	11 maanden	Deze cookie wordt ingesteld door GDPR Cookie Consent plugin. De cookie wordt gebruikt om de toestemming van de gebruiker op te slaan voor de cookies in de categorie "Prestaties".
bekeken_cookie_beleid	11 maanden	De cookie wordt ingesteld door de GDPR Cookie Consent plugin en wordt gebruikt om op te slaan of de gebruiker al dan niet heeft ingestemd met het gebruik van cookies. Er worden geen persoonlijke gegevens opgeslagen.