Skip to content

Appcircle Business Continuity and Disaster Recovery Policy

Effective date: 2026-02-05 Last reviewed: 2026-02-05 Policy owner: Engineering Management (Security Program Owner)

Purpose

This policy establishes Appcircle's approach to maintaining the continuity of critical business functions and recovering from major adverse events that threaten operations, services, or data. It ensures Appcircle can continue to provide services to customers, support employees, and sustain critical operations in the face of disruptive events including natural disasters, political disturbances, security incidents, third-party service failures, and loss of key personnel.

This policy operates alongside the Disaster Recovery Plan and Incident Response Plan, which governs the identification and response to individual security and operational incidents.

Scope

This policy applies to:

  • All critical business functions, systems, and services operated by Appcircle.
  • All personnel with responsibilities related to incident response or business continuity.
  • Third-party service providers whose availability materially affects Appcircle's ability to deliver services.

Key definitions

  • Business Continuity Plan (BCP): The documented plan for maintaining critical business functions during and after a major adverse event.
  • Disaster Recovery (DR): The process of restoring systems, data, and infrastructure to normal operation following a major disruption.
  • Recovery Time Objective (RTO): The maximum acceptable period during which a business function may be unavailable before causing material harm.
  • Emergency Response Team (ERT): The group of personnel responsible for activating and coordinating business continuity and disaster recovery activities.

Business impact analysis

Appcircle maintains a business impact analysis (BIA) that identifies critical business functions, the systems and people that support them, and the consequences of their unavailability. Recovery time objectives (RTOs) and recovery point objectives (RPOs) are defined for each critical function and system component.

Technical recovery objectives, detailed recovery procedures, and infrastructure-level RTO/RPO targets are documented in the Disaster Recovery Plan.

Continuity planning

Infrastructure resilience

Appcircle's production infrastructure is hosted on Google Cloud Platform (GCP). Continuity planning for infrastructure includes:

  • Multi-region backup arrangements for key data and services to ensure recoverability in the event of a localised GCP outage.
  • Failover strategies leveraging GCP features to minimise downtime.
  • Monitoring of GCP service health and SLAs; direct communication channels with Google Cloud support for critical incidents.

Remote working

Appcircle operates a predominantly remote-first workforce. Security practices and tooling are designed to support effective remote working during any disruption, ensuring that information security requirements continue to be met when employees work outside standard environments.

Backup arrangements

Critical data and systems are backed up regularly to separate and secure locations. Backup arrangements are reviewed to ensure single points of dependency are identified and mitigated, and that key security requirements remain in place during recovery.

Information security continuity

Business continuity planning incorporates information security considerations at every stage:

  • Incident response plans are designed to remain operational during major disruptions.
  • Security controls are not degraded during recovery activities unless explicitly assessed and approved.
  • Security requirements are addressed in all continuity and recovery procedures.

Emergency Response Team

An Emergency Response Team is established to manage major incidents and activate the BCP when required. The ERT is responsible for:

  • Determining when the BCP is applicable and should be enacted.
  • Coordinating technical response, stakeholder communication, and service restoration.
  • Providing regular updates to leadership and affected parties during a major event.
  • Conducting retrospective review following resolution.

ERT contact details and roles are maintained in internal documentation.

Stakeholder communications

During a major adverse event, the ERT ensures timely and clear communication to all relevant stakeholders. Company-wide communications are coordinated through approved internal channels. All major communications are documented for retrospective review.

Annual testing

Business continuity plans are tested at least annually to verify their effectiveness. Testing methods may include:

  • Desk-based walkthroughs with key stakeholders.
  • Tabletop exercises using hypothetical scenarios.
  • Simulation of specific response procedures.
  • Communication and awareness checks.

Findings from testing are used to update plans and address identified gaps.

Roles and responsibilities

  • Engineering Management (Policy Owner): Accountable for this policy; determines when the BCP is enacted; ensures readiness, testing, and communication.
  • Engineering / Platform / Operations: Implements and tests continuity and recovery procedures; coordinates technical response during activations.
  • All personnel: Maintain awareness of the BCP; ensure personal readiness to work remotely if required; follow ERT directives during major events.

Regulatory alignment

This policy supports compliance with:

  • SOC 2 (Trust Services Criteria — Availability)
  • ISO/IEC 27001:2022 (A.5.29–A.5.30 Information security continuity)
  • GDPR (Article 32 — Security of processing, including resilience)
  • KVKK (Article 12 — Data security obligations)

Exceptions

Exceptions to this policy must be:

  • Documented with justification, scope, duration, and compensating controls.
  • Approved by the policy owner or an authorised delegate.
  • Reviewed before expiry and retired when no longer required.

Policy review and updates

This policy is reviewed at least annually and following significant incidents, infrastructure changes, or changes to regulatory requirements.

Note

This public policy describes Appcircle's business continuity and disaster recovery posture at a high level. Detailed internal plans (including specific recovery procedures, ERT contact lists, system-level failover configurations, and backup schedules) are maintained separately and may be shared under appropriate agreements when required.

  • Information Security Policy
  • Incident Response Plan
  • Network Security Policy
  • Change Management Policy
  • Logging and Monitoring Policy
  • Vendor Management Policy
  • System Access Control Policy