Data Export & Backups
En resumen
Data export and backup oversight: tenant exports on demand with seven-day signed URLs, scheduled daily platform-wide snapshots retained 30 days and stored cross-region, point-in-time restore at tenant scope that preserves cross-tenant integrity, an automated weekly backup-verify job that restores into sandbox and runs a sanity-check suite, and a data-residency summary generated from infrastructure config so regulators get a one-page answer.
Cómo funciona
Data Export & Backups closes the loop on data durability claims so an auditor can be shown evidence rather than promises. Tenant export on demand queues an async job, packages all tenant documents and uploads, and produces a signed download URL that expires in seven days; the same machinery powers F21.05's tenant export and F21.13's GDPR fulfilment, but here it is exposed as a generic operator action. Platform-wide snapshots run as a scheduled daily job, retain the last 30 days, and write to the disaster-recovery storage account in a separate region.
Point-in-time restore at tenant scope is the surgical option: pick a tenant, pick a timestamp, and the operation restores that tenant only while preserving cross-tenant integrity (foreign keys to other tenants are reconciled rather than blindly overwritten). The weekly backup-verify job is the trust anchor for the backup contract: every Sunday it picks a recent snapshot, restores it into a clean sandbox tenant, runs a defined sanity-check suite (row counts, hash integrity on critical collections, a sample login, a sample read), and records the result. A failure pages security and opens a SEV2; a success appends to the integrity log that auditors can review.
Data-residency summary enumerates which collections live in which Azure region, with the regulatory rationale for each, so a federation asking `where is my data` gets a one-page answer instead of a guessing game. The summary is generated from infrastructure config rather than asserted by hand, so a region change in `infrastructure/` is automatically reflected.
Capacidades clave
- On-demand tenant export with signed 7-day URL
- Daily platform-wide snapshot retained 30 days, cross-region
- Tenant-scoped point-in-time restore preserving cross-tenant integrity
- Weekly backup-verify: restore into sandbox + sanity-check suite + integrity log
- Data-residency summary generated from infrastructure config (collection × region × rationale)
En la práctica
A federation contract terminates and they request a full data export. The operator opens the tenant detail, runs export, and emails the signed URL when the job completes. Two months later an SOC2 auditor asks for proof that backups are tested; the operator opens the backup-verify history, exports the integrity log, and shows the auditor the most recent successful weekly restore.
A regulator from a third country asks where citizens' data lives; the operator hands them the data-residency summary, which enumerates each collection with its region and rationale. No screenshots, no spreadsheets — the surface is the evidence.
Funcionalidades de este subsistema
8| ID | Status | Funcionalidades |
|---|---|---|
| F21.19.01 | Entregado | Tenant export on demand — queued async job, produces signed download URL, expires in 7 d. ✅ PL-T139 |
| F21.19.02 | Entregado | Platform-wide snapshot — scheduled daily full backup, retained 30 d. Implemented (PL-T139) |
| F21.19.03 | Entregado | Point-in-time restore (tenant scope) — restore a single tenant to a timestamp, preserving cross-tenant integrity. Implemented (PL-T139) |
| F21.19.04 | Entregado | Backup verification — automated weekly restore-to-sandbox test. Implemented (PL-T139) |
| F21.19.05 | Entregado | Data-residency summary — which data lives in which region, for regulatory reviews. Implemented (PL-T139) |
| F21.19.06 | Entregado | Continuity export pipeline — daily snapshot + hourly delta to tenant-controlled S3/SFTP, PGP/age-encrypted with tenant-managed keys, weekly fetch-back verify, stop-on-cancellation. ✅ PL-T227 |
| F21.19.07 | Entregado | Source-code escrow pipeline — semver-release-trigger bygger deterministisk deployment-bundle (api/admin/app/web/www/sys/iac/runbooks), sealar med age multi-recipient, levererar via SFTP till NCC Group + Iron Mountain, append-only EscrowDeposit-ledger via HMAC-callback. Manual-deposit-vy för out-of-band hot-fixes (sys_security + fresh-auth). 90-day gap → SEV2-incident, kvartals-drill via SEV3-incident. Composite /sys/escrow/status-vy med latest-deposit, per-provider summary, kvartalsvis täckning, federation-tier-tenants, trigger-events-checklist. ✅ PL-T228 |
| F21.19.08 | Entregado | Wind-down commitment + funded reserve — 4-språkig (sv/en/fr/es) klausul-versionering med SHA-256 audit-hash chain (kanonisk engelsk källa), per-tenant WindDownReserve (deposit eller insurance) med target = 12 × monthly_cost + auto-flip till short < 80 %, 2-of-N co-sign + fresh-auth för release/return, kvartalsdrill (tabletop/partial_dry_run/full_dry_run) med outcome+findings, composite /sys/wind-down/readiness-vy som aggregerar reserve-status + continuity-export-fräschhet (PL-T227) + escrow-drift (PL-T228) + klausul-attachment + drill-status till green/yellow/red. Stripe-webhook payment_intent.succeeded med metadata.purpose=wind_down_deposit triggar mark_funded. 5 cron-jobb: target-recompute (dygnsvis), verification-reminder (30d), readiness-monthly-report, drill-reminder-quarterly (SEV3 om > 90d), clause-audit-hash-check (SEV1 vid mismatch). ✅ PL-T229 |