Disaster Recovery Policy

1.0 OVERVIEW

NEO is a virtual organization without physically owned Data Centers. All critical and sensitive data is stored and processed in AWS cloud infrastructure, which is managed in accordance with ISO 27001:2022 requirements. NEO follows a Cloud Disaster Recovery (cloud DR) scheme, focusing on backup and restore strategies using AWS services. Data is replicated and maintained across multiple AWS availability zones (e.g., US East and EU Ireland) to ensure resilience and compliance.

Disaster Recovery is a shared responsibility between NEO and AWS. Cloud security and disaster recovery controls are reviewed and tested annually to ensure compliance with ISO 27001:2022.

AWS has identified critical system components required to maintain the availability of the system and recover service in the event of outage. Critical system components (example: code bases) are backed up across multiple, isolated locations known as Availability Zones. Each Availability Zone runs on its own physically distinct, independent infrastructure, and is engineered to be highly reliable. Common points of failures like generators and cooling equipment are not shared across Availability Zones. Additionally, Availability Zones are physically separate, and designed such that even extremely uncommon disasters such as fires, tornados or flooding should only affect a single Availability Zone. AWS replicates critical system components across multiple Availability Zones and authoritative backups are maintained and monitored to ensure successful replication.

Businesses are using the AWS cloud to enable faster disaster recovery of their critical IT systems without incurring the infrastructure expense of a second physical site. The AWS cloud supports many popular disaster recovery (DR) architectures from “pilot light” environments that may be suitable for small customer workload data center failures to “hot standby” environments that enable rapid failover at scale. With data centers in Regions all around the world, AWS provides a set of cloud-based disaster recovery services that enable rapid recovery of our IT infrastructure and data.

2.0 PURPOSE & BACKGROUND

a. The purpose of this policy is to define the organization’s procedures to recover Information Technology (IT) infrastructure and IT services within set deadlines in the case of a disaster or other disruptive incident. The objective of this plan is to complete the recovery of IT infrastructure and IT services within a set Recovery Time Objective (RTO).

b. This policy includes all resources and processes necessary for service and data recovery and covers all information security aspects of business continuity management.

c. This policy applies to all management, employees, and suppliers that are involved in the recovery of IT infrastructure and services within the organization. This policy must be made readily available to all whom it applies to.

d. This policy defines the overall disaster recovery strategy for the organization. The strategy describes the organization’s Recovery Time Objective (RTO), which is defined as the duration of time and service level for critical business processes to be restored after a disaster or other disruptive event, as well as the procedures, responsibility and technical guidance required to meet the RTO.

This policy also lists the contact information for personnel and service providers that may be needed during a disaster recovery event.

a. The following conditions must be met for this plan to be viable:

i. All equipment, software, and data (or their backups/failovers) are available in some manner.

ii. If an incident takes place at the organization’s physical location, all resources involved in recovery efforts are able to be transferred to an alternate work site (such as their home office) to complete their duties.

iii. The Information Security Officer is responsible for coordinating and conducting a bi-annual (at least) rehearsal of this continuity plan.

b. This plan does not cover the following types of incidents:

i. Incidents that affect customers or partners but have no effect on the organization’s systems; in this case, the customer must employ their own continuity processes to make sure that they can continue to interact with the organization and its systems.

ii. Incidents that affect cloud infrastructure suppliers at the core infrastructure level, including but not limited to Google and Amazon Web Services (AWS).

The organization depends on such suppliers to employ their own continuity processes.

3.0 ELIGIBILITY

This policy is applicable to NEO, AWS, and Sub-Processors (SSAE18).

4.0 POLICY

This policy requires management to financially support and diligently attend to disaster recovery planning efforts. Disasters are not limited to adverse weather conditions. Any event that could likely cause an extended delay of service will be considered.

DISASTER RECOVERY PLAN – A plan must be developed, reviewed annually, and tested periodically. The process for developing a Disaster Recovery Plan (with test scripts) is to conduct a Table-Top Exercise to simulate an event and walkthrough the process to declare and operate under a disaster declaration.

SUB-PROCESSORS:

• Amazon Web Services (AWS) – IT Infrastructure (EC2, API, RDS, S3, Redshift)
• Postmark – Email
• Pandadoc – Document Signing

a. The NEO Disaster Recovery Plan (DRP) must be reviewed and tested annually. Sub-processors may play a role in this annual event. The DRP will be stored in a repository for 24/7 access by NEO team members (call tree).

b. Relocation Team

i. If the organization’s primary work site is unavailable, an alternate work site shall be used by designated personnel.

iI. The personnel required to report to the alternate work site during a disaster includes

Australia – Martin Konrad
Poland – Szymon Fraszczak

c. Critical Services, Key Tasks and, Service Level Agreements (SLAs)

i. The following services and technologies are considered to be critical for business operations, and must immediately be restored (in priority order):

1. Internet
2. Network Security
3. AWS
4. Sub-Processors (as impacted)

ii. The following key tasks and SLAs must be considered during a disaster recovery event, in accordance with the organization’s objectives, agreements, and legal, contractual or regulatory obligations:

1. Availability
2. Security
3. Contract/MSA
4. Others – as necessary

d. The organization’s Recovery Time Objective (RTO) largely depends on the RTO provided by Amazon Web Services (AWS) – https://aws.amazon.com/disaster-recovery/

Note: Specific recovery steps for information systems infrastructure and services are provided in the Disaster Recovery Plan.

5.0 ROLES & RESPONSIBILITIES

Notification of Plan Initiation

i. The following personnel must be notified when this plan is initiated:

1. Martin Konrad – CEO
2. Szymon Fraszczak – VP of Engineering

ii. CEO is responsible for notifying the personnel listed above.

e. Plan Deactivation

i. This plan must only be deactivated by Martin Konrad and Szymon Fraszczak

ii. In order for this plan to be deactivated, all relocation activities and critical service/technology tasks as detailed above must be fully completed and/or restored.

If the organization is still operating in an impaired scenario, the plan may still be kept active at the discretion of Martin Konrad and Szymon Fraszczak

iii. The following personnel must be notified when this plan is deactivated:

1. Martin Konrad – CEO
2. Szymon Fraszczak – VP of Engineering

a. The organization must endeavor to restore its normal level of business operations as soon as possible.

b. A list of relevant points of contact both internal and external to the organization is enclosed in company contact book.

c. During a crisis, it is vital for certain recovery tasks to be performed right away.

The following actions are pre-authorized in the event of a disaster recovery event:

i. VP of Engineering must take all steps specified in this disaster recovery plan in order to recover the organization’s information technology infrastructure and services.

Ii. VP of Engineering is authorized to make urgent purchases of equipment and services up to
$10,000

iii. Head of Customer Success is authorized to communicate with clients.

iv. CEO is authorized to communicate with the public.

v. CEO is authorized to communicate with public authorities such as state and local governments and law enforcement.

• Specifically first are to contact the Police Departament (112 in Europe, 911 in the US)
• Federal Bureau of Investigation ( (304) 625-2000) https://ucr.fbi.gov/crime-in-the-u.s/2015/crime-in-the-u.s.-2015/resource-pages/contact-us/contact-us/
• If ot concerns EU data breach, as per GDPR art 33, notify EUROPEAN DATA PROTECTION SUPERVISOR https://edps.europa.eu/data-protection_en

6.0 COMPLIANCE

NEO will verify compliance with this policy through various methods, including but not limited to, periodic reviews, monitoring, and/or via audits.