Skip to content
Business Continuity & Data

Business Continuity Policy

Version: 1.0
Effective Date: January 31, 2025
Last Updated: January 26, 2026
Status: Approved

1.0 OVERVIEW

To meet the enterprise business objectives and ensure continuity of its operations, NEO shall adopt and follow well defined and time-tested plans and procedures, build redundancy in teams and infrastructure, and manage a quick and efficient transition to the backup arrangement for business systems and services.

NEO has a Cloud based IT organizational infrastructure, and any failure of the cloud service becomes a business continuity issue. The impacts of cloud downtime and the ability to quickly resume normal business services is our resiliency approach.

The AWS Resiliency Program encompasses the processes and procedures by which AWS identifies, responds to and recovers from a major event or incident within our environment. This program builds upon the traditional approach of addressing contingency management which incorporates elements of business continuity and disaster recovery plans and expands this to consider critical elements of proactive risk mitigation strategies such as engineering physically separate Availability Zones (AZs) and continuous infrastructure capacity planning.

AWS contingency plans and incident response playbooks are maintained and updated to reflect emerging continuity risks and lessons learned from past incidents. Service team response plans are tested and updated through the due course of business and the AWS Resiliency plan is tested, and reviewed and approved by senior leadership annually.

2.0 PURPOSE & BACKGROUND

The main objective of Business Continuity Policy is to minimize and eliminate the loss to NEO’s business in terms of revenue loss, loss of reputation, loss of productivity and customer satisfaction.

  1. The purpose of this policy is to ensure that the organization establishes objectives, plans and, procedures such that a major disruption to the organization’s key business activities is minimized.
  2. The success of the organization is reliant upon the preservation of critical business operations and essential functions used to deliver key products and services. The purpose of this policy is to define the criteria for continuing business operations for the organization in the event of a disruption. Specifically, this document defines:
    1. The structure and authority to ensure business resilience of key processes and systems.
    2. The requirements for efforts to manage through a disaster or other disruptive event when the need arises.
    3. The criteria to efficiently and effectively resume normal business operations after a disruption.
  3. Within this document, the following definitions apply:
    1. Business impact analysis/assessment – an exercise that determines the impact of losing the support of any resource to an enterprise, establishes the escalation of that loss over time, identifies the minimum resources needed to return to a normal level of operation and prioritizes recovery of processes and the supporting system.
    2. Disaster recovery plan – a set of human, physical, technical, and procedural resources to return to a normal level of operation, within a defined time and cost, when an activity is interrupted by an emergency or disaster.
    3. Recovery time objective – the amount of time allowed for the recovery of a business function or resource to a normal level after a disaster or disruption occurs.
    4. Recovery point objective – determined based on the acceptable data loss in the case of disruption of operations.

3.0 ELIGIBILITY

This policy applies to all NEO employees, contractors, consultants, temporaries, suppliers, and other workers. This policy is applicable for all network systems, databases, files, applications, and electronic records of NEO.

This policy applies to all infrastructure and data within the organization’s information security program.

This policy applies to all management, employees, and suppliers that are involved in decisions and processes affecting the organization’s business continuity.

4.0 POLICY

The Business Continuity (BC) Policy shall be implemented by the designated personnel. Responsibilities include:

  • Coordinate the development and maintenance of the BC Policy.
  • Identify and declare disaster-scenarios according to the gravity of the disaster.
  • Enforce BC among teams as per disaster scenarios.
  • Review and audit BC Policy at planned intervals.
  • Test and update the BC plan annually.
  • Facilitate functional training of the members for BC plan execution.
  • Co-ordinate with Third Party vendors (Sub-Processors) wherever applicable.

This policy must be made readily available to all whom it applies to.

  1. A Business Continuity Plan must be developed, reviewed annually, and tested periodically. The process for developing a Business Continuity Plan (playbook) is to conduct a Table-Top Exercise to simulate an event and walkthrough the process to restore operations.
  2. Business Risk Assessment and Business Impact Analysis
    1. Company is required to perform a business risk assessment and business impact analysis for each key business system within the area of responsibility.
    2. The business risk assessment must identify and define the criticality of key business systems and the repositories that contain the relevant and necessary data for the key business system.
    3. The business risk assessment must define and document the Disaster Recovery Plan (DRP) for their area of responsibility.Each BCP shall include:
      1. Key business processes.
      2. The applicable risk to availability
      3. Prioritization of recovery.
      4. Recovery Time Objectives (RTOs).
      5. Recovery Point Objectives (RPOs).
  3. Business Continuity Plan (BCP)
    1. Each key business system must have a documented BCP to provide guidance for the restoration of hardware, software, or networks.
    2. Each BCP must include an external communications to customers, website, vendors to explain the magnitude of information or system unavailability in the event of an outage and the process that would be implemented to continue business operations during the outage.Where feasible, the DRP & BCP must consider the use of alternative, off-site computer operations (cold, warm, hot sites).
    3. Each plan must be reviewed against the organization’s strategy, objectives, culture, and ethics, as well as policy, legal, statutory and regulatory requirements.
    4. Each DRP must include:
      1. An emergency mode operations plan for continuing operations in the event of temporary hardware, software, or network outages.
      2. A recovery plan for returning business functions and services to normal on-site operations.
      3. Procedures for periodic testing, review, and revisions of the DRP for all affected business systems, as a group and/or individually.
  4. Data Backup and Restoration Plans
    1. Each system owner must implement a data backup and restoration plan.
    2. Each data backup and restoration plan must identify:
      1. The data custodian for the system.
      2. The backup schedule of each system.
      3. Where backup media is to be stored and secured, as well as how access is maintained.
      4. Who may remove backup media and transfer it the storage.
      5. Appropriate restoration procedures to restore key business system data from backup media to the system.
      6. The restoration testing plan and the frequency of testing to confirm the effectiveness of the plan.
      7. The method for restoring encrypted backup media.
  5. Maximum Tolerable Period of Disruption (MTPD)The Maximum Tolerable Period of Disruption (MTPD) represents the critical time thresholds within which business functions must be restored to mitigate unacceptable consequences such as financial loss, reputational damage, and regulatory non-compliance. Below are the established MTPD values for NEO’s essential business processes, derived from comprehensive risk assessments and business impact analyses:Tenant Infrastructure
    • MTPD: 4 hoursRationale: Essential for operational continuity and client data access; delays beyond this can cause significant revenue and trust losses.Based on: High dependency on AWS cloud infrastructure and potential cloud service disruptions.
    Database Operations
    • MTPD: 3 hoursRationale: Critical for data integrity and availability; exceeding this time frame risks significant data loss and operational disruption.Based on: Risks like data corruption and unauthorized access, mitigated by robust backup solutions and secure access protocols.
    Client Communications
    • MTPD: 6 hoursRationale: Vital for maintaining effective client relations and managing reputational risk during downtimes.Based on: Dependencies on communication platforms such as Sendgrid and email systems that could face outages.
    Critical IT Systems
    • MTPD: 8 hoursRationale: Essential for maintaining legal and operational activities; extensive disruptions could lead to legal liabilities and operational halts.Based on: Possible system crashes, failover delays, and unaddressed vulnerabilities.
    Customer Support
    • MTPD: 12 hoursRationale: Directly impacts customer satisfaction and retention; extensive downtime can result in increased dissatisfaction and potential customer loss.Based on: Reliance on support software, communication channels, and the availability of trained personnel.
    1. Documentation and Review: Business Impact Analysis (BIA): Aligns with organizational objectives and potential impacts, validating the need for set MTPD values. Risk Assessment: Provides a detailed foundation for MTPD values, highlighting vulnerabilities and mitigation strategies. Vendor Capabilities and Contractual Obligations: Ensures recovery capabilities of third-party services align with MTPD objectives.
    2. Policy Maintenance: This MTPD framework will be reviewed annually as part of the policy update process. Regular testing of disaster recovery implementations will verify that the recovery measures adhere to the MTPD objectives, ensuring that NEO can maintain continuity effectively under various disruption scenarios.

5.0 ROLES & RESPONSIBILITIES

Notification of Plan Initiation

  1. The following personnel must be notified when this plan is initiated:
    1. Martin Konrad CEO/Founder
    2. Szymon Fraszczak / VP of Engineering.
  2. The CEO is responsible for notifying the personnel listed above.

6.0 COMPLIANCE

NEO will verify compliance with this policy through various methods, including but not limited to, periodic reviews, monitoring, and/or via audits.

Let's build your proposal
Powered by NEO AI - Intelligent Matching Technology