Skip to main content
AC

Acme Cloud

EthicPages logoVisit EthicPages

Business Continuity Plan

Last updated: January 15, 2026

Business Continuity Plan

Document owner: Chief Operating Officer (COO) with CISO as technical co-owner Version: 3.0 Effective date: January 1, 2026 Last updated: January 15, 2026 Classification: Public — Trust Center Review cadence: Annual full review; quarterly tabletop exercises; ad hoc review upon material changes Company: Acme Cloud, Inc. Address: 1200 Market Street, Suite 400, San Francisco, CA 94103, USA Primary contacts: trust@acmecloud.com | security@acmecloud.com | privacy@acmecloud.com

1. Document Purpose and Objectives

This Business Continuity Plan (BCP) establishes a comprehensive framework for maintaining essential operations, protecting customer data, and restoring services during disruptive events affecting Acme Cloud, Inc. The plan provides structured procedures for crisis management, operational continuity, disaster recovery, and stakeholder communication across a wide range of potential disruption scenarios while maintaining compliance with regulatory requirements and contractual commitments to customers.

The primary objectives of this Business Continuity Plan include the following strategic and operational goals that guide all continuity activities across the organization:

ObjectiveDescriptionSuccess Metric
Customer Data ProtectionEnsure customer data confidentiality, integrity, and availability are maintained during disruptionsZero customer data breaches during continuity events
Service RestorationRestore critical customer-facing services within defined Recovery Time Objectives100% achievement of RTO targets during actual events
Communication EffectivenessProvide timely, accurate information to customers, employees, and stakeholders during disruptionsCustomer notification within 60 minutes of confirmed impact
Workforce SafetyPrioritize employee safety and well-being during crises affecting physical locations or healthZero employee injuries during continuity events
Regulatory ComplianceMaintain compliance with contractual SLAs, regulatory requirements, and industry standardsZero regulatory findings related to availability failures
Operational ResilienceBuild organizational capability to anticipate, respond to, and recover from disruptive eventsAnnual improvement in continuity metrics
Financial StabilityMinimize financial impact of disruptions through preparation, insurance, and rapid recoveryBusiness interruption costs within insurance coverage
Stakeholder ConfidenceMaintain customer, investor, and partner trust through demonstrated continuity capabilityPost-event satisfaction score above 4.0/5.0

This plan aligns with SOC 2 Trust Services Criteria A1.1-A1.3 (Availability), ISO 27001:2022 Annex A.5.29-A.5.30 (Information security during disruption), ISO 22301:2019 (Business continuity management systems), HIPAA Security Rule §164.308(a)(7) (Contingency plan), NIST SP 800-34 Rev. 1 (Contingency Planning Guide), and AWS Well-Architected Framework reliability pillar. This plan complements the Backup and Recovery Policy, Incident Response Plan, and Security Overview.

2. Definitions and Terminology

This section establishes standard terminology used throughout the Business Continuity Plan to ensure consistent interpretation and application across all continuity activities.

TermDefinition
Business ContinuityThe capability of an organization to continue delivery of products and services at acceptable predefined levels following a disruptive incident
Business Continuity Plan (BCP)Documented procedures that guide organizations to respond to, recover from, and restore operations following disruption
Disaster Recovery (DR)The process of restoring IT systems, applications, and data following a significant disruption or disaster
Business Impact Analysis (BIA)Process of identifying critical business functions and the resources required to support them, along with the impact of disruption
Maximum Tolerable Downtime (MTD)The maximum period of time that a business function can be disrupted before the organization suffers unacceptable consequences
Recovery Time Objective (RTO)Target time for restoring a business function or IT system following a disruption
Recovery Point Objective (RPO)Maximum acceptable data loss measured in time, determining backup and replication frequency requirements
Crisis Management Team (CMT)Cross-functional group responsible for strategic decision-making and coordination during a crisis
Executive Incident Commander (EIC)Senior leader with overall authority for crisis decisions, external communications, and resource allocation
Technical Incident Commander (TIC)Technical leader responsible for directing recovery operations and technical resource coordination
Warm StandbyA disaster recovery configuration where backup systems are running but not serving production traffic
Hot StandbyA disaster recovery configuration where backup systems are synchronized and ready for immediate failover
FailoverThe process of switching from a primary system to a backup system
FailbackThe process of returning operations to the primary system after recovery
Single Point of Failure (SPOF)A component whose failure would cause the entire system to fail
Tabletop ExerciseA discussion-based exercise where participants walk through their roles and responses to a scenario
Functional ExerciseA hands-on exercise where participants execute actual procedures in a controlled environment
Full-Scale ExerciseA comprehensive exercise simulating real conditions as closely as possible
InvocationThe formal activation of the Business Continuity Plan in response to a disruption
Stand-DownThe formal deactivation of the Business Continuity Plan when normal operations resume

3. Scope and Applicability

This Business Continuity Plan applies to all Acme Cloud production systems, supporting infrastructure, critical corporate functions, and personnel responsible for continuity execution. The plan governs response to disruptions regardless of cause, duration, or geographic scope.

3.1 Systems and Operations in Scope

CategoryScope CoveragePrimary OwnerContinuity Priority
Production SaaS PlatformCustomer-facing application, APIs, authentication, data storageVP EngineeringTier 1 Critical
Customer DataAll customer content, configurations, and account informationVP EngineeringTier 1 Critical
InfrastructureAWS us-east-1 (primary), eu-west-1 (DR), networking, security controlsDirector of SRETier 1 Critical
Support OperationsCustomer support portal, ticketing, knowledge base, communication channelsVP Customer SuccessTier 2 Significant
Billing SystemsPayment processing, subscription management, invoicingVP FinanceTier 2 Significant
Security MonitoringSIEM, endpoint protection, threat detection, incident response capabilityCISOTier 2 Significant
Corporate ITEmail, collaboration, identity management, employee productivity toolsVP ITTier 3 Standard
Marketing and SalesWebsite, CRM, marketing automation, sales toolsVP MarketingTier 3 Standard
Office FacilitiesSan Francisco headquarters, remote work infrastructureVP OperationsTier 4 Low Priority

3.2 Disruption Scenarios Addressed

Scenario CategoryExample EventsLikelihoodPotential ImpactPrimary Response
Technology FailureHardware failure, software bug, database corruption, network outageMediumHighTechnical recovery procedures
Cyber AttackRansomware, DDoS, data breach, infrastructure compromiseMediumCriticalIncident Response Plan
Cloud Provider OutageAWS regional outage, service degradation, API failuresLowCriticalDR failover procedures
Natural DisasterEarthquake, severe weather, flooding affecting facilities or regionsLowHighFacility and regional recovery
Pandemic/Public HealthExtended workforce unavailability, travel restrictions, office closuresLowMediumRemote operations procedures
Utility FailurePower outage, telecommunications disruption, internet connectivity lossMediumMediumRedundancy activation
Supply Chain DisruptionCritical vendor failure, software dependency compromiseLowHighVendor contingency procedures
Civil DisruptionProtests, civil unrest, transportation disruptionLowLowRemote operations, facility security
Key Personnel LossSudden unavailability of critical personnelMediumMediumSuccession and cross-training
Regulatory ActionLicense suspension, compliance order, legal injunctionVery LowCriticalLegal response procedures

3.3 Geographic Scope

RegionOperations PresentInfrastructureContinuity Consideration
United States (Primary)Headquarters (San Francisco), primary AWS region (us-east-1), majority workforcePrimary production infrastructureFull BCP coverage
European UnionCustomer data processing, DR region (eu-west-1), distributed workforceDisaster recovery infrastructureRegional failover capability
Global (Remote)Distributed workforce, customer baseN/ARemote work resilience

4. Governance Structure and Roles

Effective business continuity requires clear authority, defined responsibilities, and established escalation paths. This section defines the governance structure, key roles, and decision-making authority for continuity activities.

4.1 Crisis Management Team Structure

RolePrimary ResponsibilitiesDefault AssignmentBackup AssignmentActivation Response Time
Executive Incident Commander (EIC)Overall crisis decisions; external communications approval; resource authorization; Board liaisonCEO or COOCTO30 minutes (business hours); 60 minutes (off-hours)
Technical Incident Commander (TIC)Technical recovery coordination; DR failover authorization; infrastructure decisionsCISO or VP EngineeringDirector of SRE30 minutes (business hours); 60 minutes (off-hours)
Business Continuity ManagerBCP maintenance; exercise coordination; post-event reporting; documentationCOO or designeeVP Operations60 minutes
Communications LeadCustomer, employee, and media messaging; status page management; notification executionVP MarketingDirector of Communications30 minutes
Legal and Compliance LeadRegulatory notification assessment; contractual obligation review; legal hold managementGeneral CounselExternal counsel60 minutes
Customer Success LeadEnterprise customer outreach; customer impact assessment; SLA trackingVP Customer SuccessDirector of Customer Success30 minutes
Finance LeadInsurance coordination; emergency expenditure authorization; financial impact trackingCFOController60 minutes
HR LeadEmployee safety coordination; workforce availability; benefits and leave administrationVP PeopleHR Director60 minutes
Facilities LeadPhysical facility management; safety coordination; logisticsVP OperationsOffice Manager30 minutes for facility events

4.2 Activation and Escalation Matrix

Event SeverityActivation TriggerInitial ResponderCMT ActivationExecutive Notification
Level 1 (Critical)Production down over 1 hour; data breach confirmed; regional disaster affecting primary siteOn-call SRE/SecurityImmediate full CMT activationCEO within 15 minutes; Board within 4 hours
Level 2 (Major)Significant service degradation; security incident contained; key vendor failureOn-call SRE/SecurityCore CMT activated within 30 minutesCOO and CISO within 30 minutes
Level 3 (Moderate)Partial service impact; potential escalation risk; localized facility issueOn-call SRE/FacilitiesCMT Manager notified; selective activationDaily briefing to executives
Level 4 (Minor)Limited impact; managed through normal operations; monitoring situationOperational teamsMonitor only; no CMT activationIncluded in regular reporting

4.3 Decision Authority Matrix

Decision CategoryLevel 1/2 EventsLevel 3/4 EventsDocumentation Required
Invoke Business Continuity PlanEICCMT ManagerInvocation log with timestamp
Authorize DR failoverTIC with EIC approvalTICChange ticket and approval record
Customer notification contentEIC with Legal reviewCommunications LeadApproved message copy
Media statementEIC with Legal reviewCommunications Lead with EIC awarenessApproved statement copy
Emergency expenditure under $50KEICCMT ManagerPurchase authorization
Emergency expenditure over $50KCEO with CFO concurrenceCEOBoard notification
Office closureEICCMT ManagerClosure notice
Return to normal operationsEICCMT ManagerStand-down notice

5. Business Impact Analysis

Acme Cloud conducts formal Business Impact Analysis (BIA) annually to identify critical business functions, assess disruption impacts, and establish recovery priorities.

5.1 BIA Methodology

PhaseActivitiesParticipantsOutput
Function identificationInventory all business functions; document processes and dependenciesAll department headsFunction catalog
Impact assessmentEvaluate financial, operational, regulatory, and reputational impacts of disruptionFunction owners, Finance, LegalImpact ratings by function
Dependency mappingIdentify technology, personnel, vendor, and facility dependenciesFunction owners, IT, ProcurementDependency matrix
Recovery prioritizationEstablish MTD, RTO, and RPO for each functionCMT, function ownersRecovery objectives
Resource requirementsDetermine minimum resources needed for recoveryFunction ownersResource requirements
Gap analysisCompare current capabilities to requirementsCMT, GRCGap register
Plan updateIncorporate findings into BCPCMT ManagerUpdated BCP

5.2 Critical Business Functions

Business FunctionCriticality TierMaximum Tolerable DowntimeRecovery Time ObjectiveRecovery Point ObjectiveKey Dependencies
Core SaaS ApplicationTier 14 hours4 hours1 hourAWS, Cloudflare, PostgreSQL, Redis
Customer AuthenticationTier 12 hours2 hours15 minutesOkta, internal auth service, database
Customer APITier 14 hours4 hours1 hourApplication tier, database, CDN
Data Backup and RecoveryTier 14 hours4 hoursPer backup scheduleAWS RDS, S3, cross-region replication
Security MonitoringTier 28 hours6 hours1 hourDatadog, CrowdStrike, AWS
Customer Support PortalTier 28 hours4 hours4 hoursZendesk, status page, email
Background Job ProcessingTier 28 hours6 hours1 hourSQS, worker fleet, database
Billing and InvoicingTier 224 hours12 hours24 hoursStripe, internal billing service
Employee ProductivityTier 348 hours24 hours24 hoursGoogle Workspace, Okta, Slack
Marketing WebsiteTier 372 hours24 hoursN/AVercel, Cloudflare

5.3 Financial Impact Assessment

Impact CategoryTier 1 (per hour)Tier 2 (per hour)Tier 3 (per day)Calculation Basis
Direct revenue loss$15,000-25,000$5,000-10,000$1,000-5,000MRR prorated by affected services
SLA credit exposureVariable per contractVariable per contractMinimalEnterprise contract terms
Operational cost$2,000-5,000$1,000-2,000$500-1,000Response team labor
Reputational impactDifficult to quantifyModerateMinimalCustomer churn correlation
Regulatory exposureVariableMinimalNoneNotification requirements

6. Recovery Strategies

This section defines the strategies and procedures for maintaining operations and recovering from various disruption scenarios.

6.1 Technology Recovery Strategies

ComponentPrimary StrategySecondary StrategyRTODependencies
Database (PostgreSQL)Cross-region read replica promotionPoint-in-time recovery from snapshots2 hoursAWS RDS, network connectivity
Application TierPre-deployed container images in DR regionFresh deployment from CI/CD2 hoursContainer registry, secrets
Object Storage (S3)Cross-region replication (active-active)Manual restore from replicated bucket30 minutesAWS S3, replication
CDN and EdgeCloudflare multi-region failoverRoute 53 DNS failover to origin15 minutesDNS propagation
AuthenticationOkta multi-region; cached session fallbackEmergency local authentication30 minutesOkta availability
MonitoringMulti-region Datadog; backup metrics pipelineManual monitoring procedures1 hourDatadog availability

6.2 Disaster Recovery Failover Procedure

PhaseStepActionsDurationResponsible
Detection1Automated monitoring detects regional impact; alerts generated0-15 minAutomated/SRE
Assessment2TIC assesses scope; confirms primary region unrecoverable within RTO15-30 minTIC
Authorization3EIC authorizes DR failover; CMT notified5 minEIC
Database Failover4Promote eu-west-1 read replica to primary; verify data consistency15-30 minSRE
Application Deployment5Deploy application containers in DR region; configure endpoints30-60 minSRE/Engineering
Traffic Failover6Update DNS records; verify propagation; enable traffic to DR15-30 minSRE
Validation7Execute smoke tests; verify critical functions; customer spot-check30-60 minEngineering/QA
Communication8Update status page; notify customers; internal communication15 minCommunications
Monitoring9Enable enhanced monitoring; document event timelineOngoingSRE
Total2-4 hours

6.3 Workforce Continuity Strategies

ScenarioStrategyImplementationTesting
Office inaccessibilityFull remote work capability; distributed workforceAll employees equipped for remote work; VPN/SSO accessMonthly remote work verification
Regional workforce impactGeographic distribution; time zone coverageDistributed hiring; cross-regional team structureQuarterly coverage analysis
Key personnel unavailabilitySuccession planning; cross-training; documentationIdentified successors for critical roles; documented proceduresAnnual succession review
Extended absenteeism (over 25%)Essential function prioritization; contractor surge capacityContractor relationships; prioritized function listTabletop exercise
Communication disruptionMultiple communication channels; out-of-band contact methodsSlack, email, phone tree, SMS; personal contact infoQuarterly contact tree test

6.4 Vendor Continuity Strategies

Vendor CategoryPrimary VendorContingencyFailover CapabilityTesting
Cloud InfrastructureAWSMulti-region within AWS; documented exit strategy4-hour regional failoverSemi-annual DR test
CDN/EdgeCloudflareRoute 53 + origin direct15-minute failoverQuarterly failover test
Identity ProviderOktaCached sessions; emergency local auth30-minute degraded modeAnnual failover test
Email DeliverySendGridAWS SES (transactional fallback)1-hour configuration changeAnnual test
Payment ProcessingStripeManual invoicing for continuityDegraded modeDocumented procedure
Customer SupportZendeskDirect email support4-hour email configurationAnnual procedure review

7. Communication Procedures

Timely and accurate communication is essential during disruptions. This section defines communication procedures for all stakeholder groups.

7.1 Communication Channels

ChannelPrimary UseBackupOwnerActivation Time
Status Page (status.acmecloud.com)Customer-facing service statusDirect email; support portal bannerCommunications15 minutes
Email (automated)Customer notification broadcastsManual email; phone tree for enterpriseCommunications30 minutes
Slack (internal)Internal coordination; war roomPhone bridge; SMSCMT ManagerImmediate
Phone BridgeExecutive communication; off-Slack backupMobile phones directCMT Manager15 minutes
Enterprise CSM OutreachDedicated enterprise customer communicationBackup CSM; support escalationCustomer Success30 minutes
Media (PR agency)Press inquiries; proactive statementsIn-house communicationsCommunications/EIC2 hours
Investor RelationsBoard and investor notificationDirect CEO communicationCFO/CEO4 hours

7.2 Customer Communication Requirements

Customer TierNotification TriggerInitial Notification SLAUpdate FrequencyChannel
EnterpriseAny Tier 1/2 service impactWithin 30 minutesEvery 30 minutes during impactDedicated CSM + status page + email
BusinessTier 1 service impactWithin 60 minutesEvery 60 minutes during impactStatus page + email
All CustomersConfirmed data security eventWithin 24 hours of confirmationAs material updates occurEmail + status page
All CustomersExtended outage (over 4 hours)Within 60 minutes of impactEvery 60 minutesStatus page + email

7.3 Communication Templates

Pre-approved communication templates are maintained for the following scenarios:

ScenarioTemplate IDApproval StatusLast Reviewed
Service degradation (initial)COMM-001Pre-approvedJanuary 2026
Service degradation (update)COMM-002Pre-approvedJanuary 2026
Service degradation (resolution)COMM-003Pre-approvedJanuary 2026
Full service outage (initial)COMM-004Pre-approvedJanuary 2026
Full service outage (update)COMM-005Pre-approvedJanuary 2026
Full service outage (resolution)COMM-006Pre-approvedJanuary 2026
Security incident (customer notification)COMM-007Legal review requiredJanuary 2026
Planned maintenanceCOMM-008Pre-approvedJanuary 2026
DR failover notificationCOMM-009Pre-approvedJanuary 2026
Post-incident summaryCOMM-010Legal review requiredJanuary 2026

7.4 Regulatory and Contractual Notifications

RequirementTriggerTimelineResponsibleProcess
Enterprise SLA notificationSLA threshold breachPer contract (typically 24-48 hours)Customer SuccessAutomated SLA tracking + CSM outreach
GDPR availability notificationExtended unavailability of personal dataWithout undue delay if processing impactedPrivacy OfficerLegal assessment; DPA notification if required
HIPAA notificationPHI availability impactPer BAA termsPrivacy OfficerBAA customer notification
Contractual force majeureQualified force majeure eventPer contract notice provisionsLegalFormal notice if invoking
Insurance notificationPotential claim eventWithin 72 hoursCFOCarrier notification per policy

8. Plan Maintenance and Testing

Regular testing and maintenance ensure the BCP remains current and effective.

8.1 Testing Schedule

Exercise TypeFrequencyLast CompletedNext ScheduledScopeParticipants
Tabletop (executive)AnnualNovember 2025November 2026Regional outage scenarioCMT, executive team
Tabletop (technical)QuarterlyJanuary 2026April 2026Technical recovery scenariosSRE, Security, Engineering
Technical DR failoverSemi-annualDecember 2025June 2026Full regional failoverSRE, Engineering
Backup restore validationQuarterlyJanuary 2026April 2026Database and file recoverySRE
Contact tree verificationQuarterlyJanuary 2026April 2026CMT contact accuracyAll CMT members
Communication drillAnnualOctober 2025October 2026Customer notification processCommunications, Customer Success
Vendor failover testAnnual per vendorQ3 2025 (Cloudflare)Q3 2026Secondary vendor activationSRE, Vendor Management
New hire orientationUpon onboardingContinuousContinuousBCP awareness and role orientationCMT Manager

8.2 Exercise Evaluation Criteria

CriterionEvaluation MethodSuccess ThresholdRemediation Timeline
CMT activation timeTimestamp from notification to acknowledgmentUnder 30 minutes (business hours)30 days for process improvement
Decision-making effectivenessObserver assessment; participant feedbackClear authority; timely decisions60 days for clarification
Communication accuracyMessage review; timing measurementAccurate content; within SLA30 days for template/process update
Technical recovery successRTO/RPO achievement100% within objectives14 days for technical remediation
Documentation completenessPost-exercise document reviewAll required documentation produced30 days for template update
Participant knowledgeQuiz or discussion assessment80% procedural accuracy60 days for training

8.3 Plan Maintenance Triggers

TriggerReview ScopeTimelineResponsible
Annual reviewFull BCP review and updateJanuary annuallyCMT Manager
Organizational changeAffected roles and responsibilitiesWithin 30 days of changeCMT Manager
Technology changeAffected systems and proceduresWithin 30 days of changeTIC
Vendor changeAffected vendor proceduresWithin 30 days of changeVendor Management
Exercise findingsIdentified gaps and improvementsWithin 14 days of exerciseCMT Manager
Actual eventLessons learned incorporationWithin 30 days of event closureCMT Manager
Regulatory changeCompliance requirementsWithin 60 days of requirementLegal/GRC

9. Supply Chain and Vendor Continuity

Critical vendor dependencies are managed through the Third-Party Risk Management program with specific continuity requirements.

9.1 Critical Vendor Dependencies

VendorService ProvidedCriticalityRedundancy StrategyMonitoring
AWSInfrastructure hostingCritical - Tier 1Multi-region architectureAWS Health Dashboard; Datadog
CloudflareCDN, DDoS protection, edgeCritical - Tier 1Route 53 + origin fallbackCloudflare status; synthetic monitoring
OktaIdentity and access managementCritical - Tier 1Cached sessions; emergency authOkta status; authentication monitoring
StripePayment processingSignificant - Tier 2Manual invoicing continuityStripe status; payment monitoring
DatadogMonitoring and observabilitySignificant - Tier 2Backup CloudWatch metricsDatadog status; self-monitoring
SendGridTransactional emailSignificant - Tier 2AWS SES fallbackDelivery metrics
ZendeskCustomer supportSignificant - Tier 2Email support fallbackTicket system monitoring

9.2 Vendor SLA Requirements

Vendor TierRequired Availability SLABCP/DR DocumentationIncident NotificationAnnual Review
Tier 1 Critical99.9% or higherRequired for assessmentWithin 1 hourFull assessment
Tier 2 Significant99.5% or higherRequestedWithin 4 hoursQuestionnaire
Tier 3 Standard99.0% or higherOptionalWithin 24 hoursCertification review

9.3 Vendor Incident Coordination

PhaseAcme Cloud ActionVendor ExpectationTimeline
DetectionMonitor vendor status; correlate with internal monitoringStatus page update; proactive notificationWithin 15 minutes
AssessmentAssess customer impact; evaluate workaroundsScope and ETA communicationWithin 30 minutes
MitigationImplement workarounds; activate redundancy if availableProgress updates; technical supportOngoing
ResolutionVerify restoration; update customersRoot cause and prevention communicationWithin 24 hours of resolution
ReviewIncorporate learnings; assess vendor performancePost-incident reportWithin 5 business days

10. Financial Continuity

Financial resilience measures ensure Acme Cloud can sustain operations during extended disruptions.

10.1 Financial Reserves

Reserve CategoryTargetCurrent StatusReview Frequency
Operating runway18 months cash reservesMaintained per Board policyQuarterly CFO review
Emergency fund$500K immediately accessibleMaintained in operating accountMonthly verification
Credit facilityAvailable credit lineMaintained with banking partnerAnnual renewal

10.2 Insurance Coverage

Coverage TypeCoverage LimitDeductibleKey CoveragesCarrier
Cyber liability$10M per occurrence$100KBreach response, business interruption, regulatory fines[Confidential]
Business interruption$5M per occurrence24-hour waiting periodRevenue loss, extra expense[Confidential]
Technology E&O$5M per occurrence$50KService failures, professional liability[Confidential]
D&O$10M aggregatePer policyDirector and officer liability[Confidential]

10.3 Emergency Expenditure Authorization

Expenditure LevelAuthorization RequiredDocumentationNotification
Under $10KCMT ManagerVerbal approval; documented post-eventCFO within 24 hours
$10K - $50KEICWritten approvalCFO concurrent
$50K - $250KCEO with CFO concurrenceWritten approval with justificationBoard within 48 hours
Over $250KCEO with Board notificationBoard approval if time permitsBoard concurrent

11. Pandemic and Public Health Continuity

Acme Cloud's remote-first operating model provides inherent resilience to public health disruptions.

11.1 Pandemic Response Levels

LevelTriggerMeasuresDecision Authority
Level 1 (Monitoring)Public health advisory; regional concernEnhanced monitoring; travel guidanceVP People
Level 2 (Precaution)Confirmed cases in workforce regionOptional remote work; enhanced cleaning; travel restrictionsCOO
Level 3 (Activation)Widespread community transmissionMandatory remote work; office closure; event cancellationCEO
Level 4 (Extended)Prolonged public health emergencySustained remote operations; workforce support programsCEO with Board

11.2 Remote Operations Capability

CapabilityCurrent StateMaximum DurationDependencies
Full remote workforceAll employees remote-capableIndefiniteHome internet; employee equipment
Virtual collaborationSlack, Zoom, Google WorkspaceIndefiniteSaaS provider availability
Secure remote accessVPN, SSO, MFA for all accessIndefiniteOkta, VPN infrastructure
Customer supportFully distributed teamIndefiniteZendesk, phone system
Engineering and developmentAll tools cloud-accessibleIndefiniteGitHub, CI/CD, cloud resources
Finance and HRCloud-based systemsIndefiniteFinancial systems, HRIS

12. Metrics and Continuous Improvement

Business continuity effectiveness is measured through defined metrics reported to the CMT quarterly and the Board Audit Committee annually.

12.1 Key Performance Indicators

MetricTargetFY2025 ActualTrend
Unplanned downtime (Tier 1 services)Under 4 hours annually1.2 hoursImproving
DR test success rate100%100% (2/2 tests)Stable
CMT activation time (tabletop average)Under 30 minutes18 minutesExceeds target
Customer notification SLA compliance100%100%Meets target
Exercise completion rate100%100%Meets target
BCP training completion (CMT)100%100%Meets target
Vendor continuity assessment completion100% Tier 1100%Meets target
Post-event action item closure100% within SLA100%Meets target

12.2 FY2025 Improvement Actions Completed

Finding SourceFindingImprovement ImplementedVerification
November 2025 tabletopStatus page update delayAutomated status page integrationTested in December DR exercise
December 2025 DR testDNS propagation delayPre-staged DNS records with low TTLPropagation time reduced to under 5 minutes
Q3 2025 vendor reviewCloudflare failover untestedCloudflare to Route 53 failover testedSuccessful Q3 2025 test
Annual BIA reviewSupport function MTD too aggressiveRevised support MTD to 8 hoursUpdated in BCP v3.0

12.3 FY2026 Improvement Roadmap

InitiativeObjectiveTimelineOwnerSuccess Criteria
Automated failover enhancementReduce DR failover time to under 2 hoursQ2 2026Director of SREDemonstrated in June DR test
Multi-cloud assessmentEvaluate secondary cloud provider for critical servicesQ3 2026VP EngineeringAssessment report delivered
Customer self-service recoveryEnable customer-initiated data recovery for common scenariosQ4 2026ProductFeature launched
Enhanced vendor monitoringReal-time vendor health dashboardQ1 2026SREDashboard operational

13. Framework Compliance Mapping

RequirementSOC 2 TSCISO 27001:2022ISO 22301:2019HIPAAImplementation Reference
Availability commitmentsA1.1A.5.298.1§164.308(a)(7)(i)Section 5.2
Recovery planningA1.2A.5.29, A.5.308.2, 8.3§164.308(a)(7)(ii)(B)Section 6
Backup proceduresA1.2A.8.138.2§164.308(a)(7)(ii)(A)Backup and Recovery
Recovery testingA1.3A.5.298.5§164.308(a)(7)(ii)(D)Section 8
RedundancyA1.2A.8.148.2§164.308(a)(7)(ii)(C)Section 6.1
Incident handlingCC7.4, CC7.5A.5.24-A.5.288.4§164.308(a)(6)Incident Response
Crisis communicationCC2.3A.5.298.4§164.308(a)(6)(ii)Section 7
Business impact analysisA1.1A.5.298.2§164.308(a)(7)(ii)(E)Section 5

14. Document Control and Distribution

Distribution CategoryRecipientsAccess MethodUpdate Notification
Full BCPCMT members, Board Audit CommitteeGRC document repositoryEmail upon update
Executive summaryAll directors and aboveInternal wikiQuarterly briefing
Role-specific proceduresRelevant team membersTeam documentationTeam lead communication
Customer-facing summaryEnterprise customers (under NDA)Trust Center requestUpon material update
Audit evidenceExternal auditorsSecure document roomPer audit request

Related Trust Center documents

backup recovery, incident response, security overview, third party risk, data retention, compliance frameworks, subprocessor list

Document revision history

VersionDateAuthorSummary of changes
1.02024-06-01Legal & ComplianceInitial Trust Center publication
2.02025-03-15GRC ProgramSOC 2 Type II alignment refresh; expanded subprocessors
2.52025-09-01Security EngineeringEncryption standards update; ISO 27001 mapping
3.02026-01-15Trust Center ProgramFull procurement-grade expansion; 34-document set

Contact

Acme Cloud, Inc. 1200 Market Street, Suite 400 San Francisco, CA 94103, USA

ChannelEmailUse case
Trust & procurementtrust@acmecloud.comSecurity questionnaires, trust reviews
Securitysecurity@acmecloud.comIncidents, vulnerabilities, control questions
Privacyprivacy@acmecloud.comDSRs, privacy assessments
Legallegal@acmecloud.comContractual, DPA, legal notices

Business continuity inquiries: trust@acmecloud.com Emergency contact: security@acmecloud.com (24/7 monitored) Service status: status.acmecloud.com

Last updated: January 15, 2026
EthicPages logoEthicPages