Backup & Recovery
SecureHive handles backup and disaster recovery at the platform level so your team can focus on security operations, not infrastructure. This page explains how your data is protected, what recovery options are available, and what your responsibilities are.
Platform-managed backups
SecureHive automatically backs up all tenant data on a continuous schedule. No admin configuration is required — backups are included with every subscription tier.
| Component | Backup method | Frequency | Retention |
|---|---|---|---|
| Database (MongoDB) | Automated snapshots | Continuous (point-in-time) | 30 days |
| Document storage (S3) | Versioned object storage | On every write | 90 days |
| Configuration data | Snapshot with database | Continuous | 30 days |
| Audit logs | Append-only archive | Continuous | Per subscription tier |
All backups are encrypted at rest using AES-256 and in transit using TLS 1.2+. Backup storage is geographically separated from primary data stores.
Recovery Point Objective (RPO)
The Recovery Point Objective defines the maximum acceptable data loss in a disaster scenario.
| Tier | RPO | Description |
|---|---|---|
| Standard | < 1 hour | Continuous database snapshots with sub-hour granularity |
| Enterprise | < 15 minutes | Enhanced point-in-time recovery with higher snapshot frequency |
Recovery Time Objective (RTO)
The Recovery Time Objective defines the maximum acceptable downtime during a recovery event.
| Tier | RTO | Description |
|---|---|---|
| Standard | < 4 hours | Full platform restoration from latest snapshot |
| Enterprise | < 1 hour | Priority recovery with dedicated support |
What is backed up
SecureHive backs up all tenant data including risk registers, assessments, and scoring data, policies, acknowledgment campaigns, and version history, vendor profiles, questionnaires, and responses, compliance frameworks, controls, and evidence, integration configurations and sync state, user accounts, roles, and permissions, audit log entries and system event history, and uploaded documents and attachments.
What is not backed up
Certain data is not included in platform backups: cached data and temporary session state (reconstructed automatically), external system data such as JIRA tickets and SIEM logs (these live in your connected tools), and API tokens and client secrets (these must be regenerated if a recovery event occurs).
Data export
Administrators can export tenant data on demand for offline archival or migration purposes.
| Export type | Format | How to access |
|---|---|---|
| Risk register | CSV, Excel | Risk & Assurance → Risk Register → Export |
| Policies | PDF, Word | Policy & Authority → Policies → Export |
| Vendor assessments | CSV, PDF | External Trust → Assessments → Export |
| Compliance evidence | ZIP archive | Risk & Assurance → Compliance → Export |
| Audit logs | CSV, JSON | Settings → System Monitoring → Audit Log → Export |
| Full tenant export | JSON archive | Contact support for full data export |
Exported data may contain sensitive information. Handle exports according to your organization’s data classification and handling policies.
Disaster recovery
SecureHive’s infrastructure is deployed on AWS with built-in redundancy. The disaster recovery architecture includes multi-availability-zone deployment for high availability, automated failover for database and application tiers, geographic backup replication for data durability, and infrastructure-as-code for rapid environment reconstruction.
In the event of a regional outage, SecureHive’s operations team initiates recovery procedures and communicates status updates through the platform status page and direct email to tenant administrators.
Your responsibilities
While SecureHive manages platform-level backup and recovery, administrators should periodically export critical data (risk registers, policies) for offline retention, document your organization’s recovery requirements and communicate them to your account representative, maintain current contact information so SecureHive can reach you during incidents, and test data exports to ensure they are complete and usable.
Best practices
Export your risk register and policy library quarterly as an offline safety net. Document which external systems are connected to SecureHive and how they would need to be reconnected after a recovery event. Keep your account representative informed of any regulatory requirements around data retention or residency. Review the System Monitoring page for proactive health tracking.