Business Continuity
Onesurance safeguards the continuity of critical insurance services through redundant infrastructure, documented DR procedures and regular testing. Our business continuity programme is DORA-compliant and aligned with the requirements of the insurance industry.
Business Continuity at a Glance
- 95% uptime SLA — Guaranteed availability within the service window
- Daily backups — Full daily backups with 30-day retention
- Multi-AZ redundancy — Azure multi-zone deployment for high availability
- DORA-compliant — Meets Digital Operational Resilience Act requirements
Continuity Strategy
Onesurance maintains a multi-layered business continuity strategy designed to minimise the impact of disruptions and ensure rapid service restoration.
High Availability
Our infrastructure runs on Azure multi-zone within the West Europe region. This means our services are distributed across multiple physically separated data centres (Availability Zones). If one zone fails, the remaining zones automatically take over without any interruption to service delivery.
Backup Strategy
- Daily full backups — A complete backup of all critical systems and data is created every day
- 30-day retention — Backups are retained for a minimum of 30 days for point-in-time recovery
- Transaction log backups — Transaction logs are backed up every 10 minutes for minimal data loss
Disaster Recovery Procedures
All DR procedures are fully documented and tested annually. The DR plan covers scenarios for data loss, service outages and security incidents.
GRC Platform
Onesurance uses Eramba as its Governance, Risk and Compliance (GRC) platform. All business continuity plans, risks, controls and test results are centrally managed and monitored within this system.
Disaster Recovery Plan
Our DR plan outlines the procedures for restoring services following a disruption. The plan is tested annually and updated based on test results and evolving business requirements.
Backup Strategy (Detail)
| Type | Frequency | Retention | Description |
|---|---|---|---|
| Full backup | Daily | 30 days | Complete backup of all databases, configurations and application data |
| Differential backup | Every 24 hours | 30 days | Changes since the last full backup |
| Transaction log | Every 10 minutes | 30 days | Continuous transaction logs for point-in-time recovery |
Recovery Procedures
In the event of an Availability Zone failure, traffic is automatically redirected to the remaining zones. Azure Load Balancer detects the outage and reroutes traffic within seconds. No manual intervention is required for zone-level failover.
Thanks to transaction log backups every 10 minutes, the database can be restored to any point in time within the 30-day retention period. This minimises data loss in the event of accidental deletion, corruption or other incidents.
In the event of a complete service outage, the recovery process is initiated from the most recent backup. Infrastructure-as-Code enables the entire environment to be rebuilt from scratch. The target is to restore full service within 24 hours, with critical services within 4 hours.
Client Communication Plan
In the event of a disruption impacting clients, the following communication protocol is followed:
- Initial notification — Clients are informed within 1 hour of the disruption and expected impact
- Status updates — Regular updates on recovery progress
- Post-incident report — After recovery, clients receive a full report covering root cause, impact and remediation measures
RTO & RPO Targets
Recovery Time Objective (RTO) and Recovery Point Objective (RPO) define our recovery targets in the event of a disruption.
Recovery Time Objective (RTO)
| Service | RTO | Description |
|---|---|---|
| Critical services | <4 hours | Core functionality for insurance operations, including policy administration and claims processing |
| Full service | <24 hours | All functionality including reporting, dashboards and non-critical modules |
Recovery Point Objective (RPO)
Formal RPO: <24 hours
The formal RPO is set at less than 24 hours, in line with client SLA agreements and DORA requirements.
Effective RPO: ~10 minutes
Thanks to transaction log backups every 10 minutes, the actual data loss in the event of an incident is limited to approximately 10 minutes.
Service Window
Supported service window: Monday to Friday, 08:30 - 17:30 CET.
Monitoring continues outside the service window. Critical incidents (P1) are also handled outside business hours via the escalation protocol. Planned maintenance is performed outside the service window, with prior notification to clients.
Testing & Validation
The business continuity plan is regularly tested and validated to ensure its effectiveness. Test results are documented in Eramba and result in concrete improvement actions.
Annual DR Test
At least once a year, we conduct a full Disaster Recovery test. This involves an end-to-end run-through of the recovery process, including client validation of the restored environment.
Test Scenarios
Data Loss
Simulation of accidental deletion or data corruption. Testing of point-in-time recovery and verification of data integrity after restoration.
Service Outage
Simulation of a complete outage of one or more services. Testing of failover mechanisms and manual recovery procedures.
Security Incident
Simulation of a security incident affecting availability. Testing of coordination between the Incident Response Team and DR team.
Capacity Planning
- Quarterly review — Each quarter, the capacity of all systems is assessed based on current usage and growth projections
- Proactive scaling — When growth is anticipated, capacity is scaled up well in advance to prevent bottlenecks
Cloud Outage Response
In the event of an Azure platform outage, the escalation protocol is activated within <15 minutes. The team monitors the Azure Service Health dashboard, communicates proactively with clients and initiates manual failover procedures if necessary.
Personnel Continuity
- Backup roles — For every critical function, at least one backup person is designated and trained
- Knowledge sharing — Procedures are documented so that backup personnel can operate independently
- Cross-training — Team members are regularly trained on tasks outside their primary role
Questions about Business Continuity?
Our Data Protection Officer is happy to assist with any questions about our continuity plans, DR procedures or availability guarantees.