logo

Policy

Business Continuity & Disaster Recovery Plan

Approved By: Chief Executive Officer

Document Owner: Chief Executive Officer / Operations Lead

Review Cycle: Annual and following any declared disaster or significant incident

Classification: Confidential (Restricted Distribution)

Note: This page provides a summary of our Business Continuity and Disaster Recovery practices. Detailed technical runbooks, contact information, and internal procedures are maintained separately for security purposes.

1. Purpose and Objectives

This Business Continuity and Disaster Recovery Plan (BCP/DRP) establishes the policies, procedures, roles, and responsibilities required to ensure that ManaKnight Digital Inc. ("ManaKnight Digital") can continue to deliver critical business functions and recover its technology systems and data in the event of a disruption, disaster, or emergency.

The objectives of this plan are to:

  • Minimize the impact of a disruptive event on ManaKnight Digital's operations, clients, and employees
  • Define clear Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) for all critical systems
  • Establish roles, responsibilities, and escalation paths for the Business Continuity Team (BCT)
  • Ensure continuity of client services during and after a disruptive event
  • Ensure timely and compliant notification of clients, regulators, and other stakeholders
  • Provide a tested, documented recovery procedure that can be executed under stress

2. Scope

This BCP/DRP applies to:

  • All ManaKnight Digital business functions, including client delivery, internal operations, and administrative functions
  • All technology systems, data, and infrastructure owned, operated, or managed by ManaKnight Digital
  • All employees, contractors, and third-party service providers with roles in continuity or recovery
  • Physical office location(s) and any alternative operating sites

3. Business Impact Analysis

A Business Impact Analysis was conducted to identify critical business functions and assess the potential impact of their disruption. The following prioritization reflects the findings of that analysis.

3.1 Critical Business Functions

System / Service Priority RTO RPO
Client project delivery & communication 1 - Critical 4 hours 1 hour
Company website (manaknightdigital.com) 1 - Critical 2 hours 24 hours
Email and collaboration tools 1 - Critical 2 hours 1 hour
Source code repository 2 - High 8 hours 1 hour
Client project environments / hosted services 2 - High 8 hours 4 hours
Financial systems 2 - High 24 hours 24 hours
HR and employee records 3 - Medium 72 hours 48 hours
Internal knowledge base / documentation 3 - Medium 72 hours 24 hours

4. Threat and Risk Scenarios

This plan addresses the following categories of disruptive events:

Scenario Description Likelihood Impact
Ransomware / Cyberattack Encryption of systems and data by threat actor High Critical
Cloud Provider Outage Primary cloud platform extended outage Medium High
Key Personnel Unavailability Critical staff unavailable due to illness or emergency Medium Medium-High
Office / Physical Site Loss Fire, flood, or forced evacuation of office Low Medium
Internet / Network Outage Loss of ISP connectivity at primary location Medium Medium
Third-Party Vendor Failure Critical SaaS or infrastructure vendor disruption Medium Medium
Data Breach / Data Loss Unauthorized access to or destruction of data Medium Critical

5. Business Continuity Team

The Business Continuity Team (BCT) is responsible for declaring a business continuity or disaster recovery event, coordinating response, and overseeing recovery. The BCT is activated by the CEO or delegate and includes representatives from:

  • BCT Commander (CEO): Overall coordination and decision-making authority
  • IT/Operations Lead: Technical recovery and infrastructure coordination
  • Development Lead: Application and code repository recovery
  • Client Communications Lead: Client notification and updates
  • Finance/Admin Lead: Financial systems and administrative functions
  • External IT Support: Third-party technical assistance as needed

6. Incident Declaration and Escalation

6.1 Declaring a BCP/DRP Event

A BCP/DRP event is declared when a disruption meets one or more of the following criteria:

  • A critical system or service is unavailable and cannot be restored within its standard RTO
  • A data loss event has occurred that exceeds the RPO for any Priority 1 or Priority 2 system
  • Physical access to the primary office is unavailable for a period expected to exceed 4 hours
  • A cyberattack has been confirmed that requires isolation or shutdown of production systems

6.2 Escalation Tiers

  • Tier 1 - Minor Disruption: Handled by IT/Operations without BCT activation; resolved within standard SLA
  • Tier 2 - Moderate Disruption: BCT Commander notified; BCT partially activated; plan sections executed as needed
  • Tier 3 - Major Disaster: Full BCT activation; all plan sections executed; executive communications initiated

7. Disaster Recovery Procedures

7.1 Ransomware / Cyberattack Response

  • Immediately isolate all affected systems from the network
  • Notify BCT Commander and IT Lead; convene BCT within 1 hour
  • Engage external IT/cybersecurity support and legal counsel
  • Assess the scope of infection/compromise using unaffected systems
  • Begin recovery from clean backups; validate integrity before restoration
  • Notify affected clients per communications plan
  • Notify applicable regulatory bodies if personal data was affected (PIPEDA 72-hour breach notification)
  • Conduct post-incident review within 5 business days

7.2 Cloud Provider / Infrastructure Outage

  • Confirm outage scope by consulting cloud provider status pages and monitoring
  • Notify affected clients with estimated impact and current ETA
  • If outage exceeds RTO, initiate failover to secondary region or alternative provider
  • Validate data integrity upon restoration
  • Document incident and review provider SLA

7.3 Office / Physical Site Loss

  • Activate remote work protocol immediately
  • Confirm all staff are safe and accounted for
  • Assess expected duration of site unavailability
  • Confirm all critical business operations are maintained via remote systems
  • Assess and document any hardware, equipment, or data losses

8. Data Backup and Recovery

8.1 Backup Strategy

ManaKnight Digital follows a 3-2-1 backup strategy for all critical systems and data:

  • 3 copies of data maintained at all times
  • 2 different storage media or environments
  • 1 copy maintained offsite or in a geographically separate cloud region

8.2 Backup Schedule

Data Asset Frequency Retention Tested
Client project files Continuous / Daily 90 days Quarterly
Source code repositories Continuous (Git) Indefinite Quarterly
Email and calendar data Real-time Per vendor policy Semi-annual
Financial records Daily 7 years Semi-annual
Company website & databases Daily 30 days Quarterly

8.3 Backup Restoration

  • Backup restoration procedures must be documented and tested at least quarterly
  • Restoration tests must validate both technical success and data integrity
  • Results of all restoration tests must be logged and reviewed
  • Encryption keys for backup data must be stored securely and separately

9. Communications Plan

9.1 Internal Communications

Upon declaration of a BCP/DRP event, the BCT Commander initiates an all-staff notification via:

  • Primary channel: Internal messaging platform (Slack/Teams)
  • Secondary channel: Direct phone/SMS to all staff
  • Tertiary channel: Personal email to all staff

9.2 Client Communications

The Client Communications Lead is responsible for notifying affected clients:

  • Initial notification: Within 2 hours of declaring a BCP/DRP event
  • Updates: Every 4 hours until service is restored
  • Resolution notification: Upon confirmed restoration of all affected services

9.3 Regulatory Notification

ManaKnight Digital will notify applicable regulatory authorities as required by law:

  • PIPEDA: Where a data breach poses a real risk of significant harm, notification to the Office of the Privacy Commissioner of Canada and affected individuals is required as soon as feasible
  • Provincial privacy legislation: Notification requirements per applicable provincial law

10. Plan Testing and Maintenance

10.1 Testing Requirements

The BCP/DRP must be tested at least annually to ensure its effectiveness:

  • Tabletop Exercise (Annual): BCT walks through a simulated scenario to review roles, decisions, and gaps
  • Backup Restoration Test (Quarterly): IT team restores selected systems or data sets from backup and validates integrity
  • Communication Drill (Semi-annual): BCT tests internal and client communication channels
  • Full Simulation (Biennial): Full end-to-end test of a specific disaster scenario including recovery procedures

10.2 Plan Maintenance

This BCP/DRP must be reviewed and updated:

  • Annually (minimum), in Q1 of each calendar year
  • Following any declared BCP/DRP event or material incident
  • Upon significant changes to technology infrastructure, personnel, or business operations
  • Upon identification of new material risks in the Business Impact Analysis

Approved by: Ryan, Chief Executive Officer, ManaKnight Digital Inc.
Date: May 5, 2026