Cloud reliability and business continuity

Board has a well-defined Governance System for Information Security. This system has been defined in accordance with the rules and criteria provided by industry best practices and international reference standards (ISO). An Information Security Management System created by Board also includes aspects of business continuity (as required by ISO A.17: information security aspects of business continuity management) to ensure the availability and integrity of the service and any data stored within.

To remain compliant with such requirements, the company has implemented and follows the controls, best practices, and procedures detailed below:

• Data event: a procedure to guarantee continuity and prevent data loss through the backup/restore strategies.

• System event: controls and procedures that guarantee service continuity and restoration in case of failure.

• Procedure and policy: monitoring policies and procedures are in place for addressing events relating to outages of critical services or data requiring immediate action. The monitoring system supervises the system health by analyzing both data and system events such as network capacity, hardware performance/failure.

Data redundancy

Board’s officially supported Azure regions ensure data redundancy by using availability zones or paired regions in the same geography.

Azure availability zones are designed to provide high availability and disaster recovery.  Within an Azure region, Azure guarantees that availability zones are separated far enough from one another to ensure that a failure in one zone does not affect the others, each with independent power, cooling, and networking.

Each region has multiple availability zones, which are made up of multiple datacenters far enough apart to protect applications from datacenter-level failures, such as power outages, floods, or fires, but close enough to provide low-latency connections.

Customer data located on the dedicated encrypted storage accounts is continuously replicated to ensure durability and high availability. The in-place replications create copies of data to protect from planned and unplanned events, including but not limited to transient hardware failures, network or power outages, and massive natural disasters. Data is constantly maintained with at least two healthy replicas.

In addition, system restore points of every customer environment are geographically replicated to guarantee cross-regional disaster recovery.

Board service redundancy policies and controls

Each customer has a dedicated environment which includes a pool of computing resources and storage areas.

Redundancy and availability of the resources pool is guaranteed through a multi-layer redundant architecture. All data associated with Disaster Recovery (customer data, configuration data, and environment settings are necessary to restore the full service) is organized in two layers:

Datacenter layer

All infrastructure data, as in environment configurations, settings, and resource images, are stored on a dedicated storage which is locally redundant and geo-redundant.

Instance layer

For each platform, a full backup is performed once a day with two types of retention policies, explained in the following section under Data backups.

Data backups

Automated and full data backups are automatically performed for each Board instance once a day with the following retention policy:

• last 15 days rolling with a snapshot of the entire instance

• last 3 months rolling with a snapshot of the entire instance taken on the first day of the month

The daily backups policy described above is intended solely for disaster recovery purposes and not available to the end users. Customers should perform their own backups using Board’s self-service backup feature to fulfill their data protection policy according with their applications and business use cases lifecycles.

Business Impact Analysis (BIA)

Business continuity is guaranteed through a series of measures, such as the adoption of technologies, tools, and processes to manage any disasters in the shortest possible time, ensuring that the service is always available and working in any type of situation.

In order to identify and apply all countermeasures aimed at eliminating or reducing potential threats to business continuity and to ensure the highest level of security and integrity, Board has conducted a Business Impact Analysis (BIA) and a risk assessment following a standardized and structured methodological approach.

This enables the identification of services that are vital for keeping the SaaS service running and available even in the case of catastrophic and unexpected events.