Business continuity plan #
Effective date: 2026-05-21 Last reviewed: 2026-05-21 Next review: 2027-05-21 Owner: Yaroslav Shmarov, operator Version: 1.0
This document states what EthicsPortal does when the Service, a sub-processor, or the operator themselves becomes unable to deliver the Service at the level customers depend on. It is the named plan referenced by the Information security policy §6 and by the ISO/IEC 27001:2022 Annex A control map for controls A.5.29–A.5.30.
The recovery outcomes this plan produces (recovery point objective, recovery time objective, monthly availability target) are stated in the Service level agreement . This page states the process that produces them.
1. Scope and objectives #
This plan covers continuity of the EthicsPortal Service in the event of:
- An infrastructure failure affecting the application host, database, file storage, or transactional email pipeline
- A sub-processor outage that degrades a covered surface (Subprocessors )
- A security incident requiring a covered surface to be taken offline
- Operator incapacity, prolonged unavailability, or business cessation
The continuity objectives, in order of priority, are:
- Preserve the confidentiality and integrity of personal data already in the system. The reporter portal will be taken offline rather than continue to operate in a degraded confidentiality state.
- Restore reporter access to existing cases (status, messaging, follow-up) so that protected reporting under EU Directive 2019/1937 is not silently interrupted.
- Restore handler and admin access to case management.
- Restore the marketing site and documentation surfaces.
2. Recovery objectives #
| Objective | Target | Surface |
|---|---|---|
| Recovery point objective (RPO) | 24 hours | Reporter portal, handler portal |
| Recovery time objective (RTO) | 4 hours | Reporter portal, handler portal |
| Monthly availability target | 99.5% | Reporter portal, handler portal |
Marketing and documentation surfaces are best-effort and are not covered by an availability target.
Backup mechanism, storage location, retention, and restore-testing cadence are documented at Security#backups-and-restore . The most recent restore drill date is published on the same page.
3. Activation triggers #
The continuity process is activated when any of the following is observed:
- The reporter portal or handler portal is unreachable for more than 15 minutes, confirmed by external monitoring
- A sub-processor reports an outage that affects a covered surface
- A security incident is suspected or confirmed, including a credible report from external researchers
- A personal data breach is suspected (Art. 4(12) GDPR definition)
- The operator becomes unable to access production systems for any reason exceeding 4 hours
Activation does not require a formal declaration — the trigger conditions automatically open the response process.
4. Decision authority #
The operator (Yaroslav Shmarov) is the sole decision authority for:
- Taking a covered surface offline
- Initiating a restore from backup
- Notifying affected controllers of a personal data breach under DPA §6.6
- Creating an entry in the incident register
- Engaging additional sub-processors or alternative infrastructure on an emergency basis
Decisions are recorded in a written incident log retained for audit purposes.
5. Customer communication #
| Event | Channel | Timing |
|---|---|---|
| Active outage on a covered surface | Live status indicator at secure.ethicsportal.eu/up ; email to organization admins for material outages | Within 60 minutes of detection |
| Personal data breach | Direct email to affected controllers | Within 72 hours of awareness, per DPA §6.6 |
| Material incident (post-containment) | Preliminary entry in incident register | Within 7 days of containment |
| Material incident (final disclosure) | Final entry in incident register | Within 30 days of containment |
| Planned maintenance | Status page and (where it affects business hours) admin email | At least 48 hours in advance |
Communications go to the organization-administrator contact on file. Controllers are responsible for keeping their administrator contact information current.
6. Restore procedure (summary) #
When a database or full-system restore is required:
- The operator declares the incident, takes the covered surface offline if not already down, and freezes write traffic.
- The most recent encrypted database dump is retrieved from Hetzner Object Storage (Nuremberg, EU; 7-day retention).
- The dump is restored into a fresh database instance and integrity-checked.
- The application host is rebuilt from a current Kamal deployment configuration; if the host itself is lost, a Hetzner server-level snapshot (7-day retention) is the fallback.
- The covered surfaces are brought back online incrementally, with the reporter portal restored before the handler portal where they are independently recoverable.
- The event is logged to the incident register if it meets the register’s scope criteria.
The full restore mechanism, storage locations, retention, and drill cadence are documented at Security#backups-and-restore . A restore drill is executed into a disposable environment at least quarterly.
7. Sub-processor failure #
The Service depends on the sub-processors listed on the Subprocessors page. Continuity posture for each:
| Sub-processor | Function | Continuity response |
|---|---|---|
| Hetzner (DE) | Application host, database, file storage | Restore from off-host backup (database dump in Hetzner Object Storage; server-level snapshots). For prolonged Hetzner outage, the application is portable to another EU-based provider; cutover would be coordinated with affected controllers and disclosed in the incident register . |
| Mailjet (FR) | Transactional email | Handler notifications are delayed during a Mailjet outage; the in-app surface remains functional. No data is lost. |
| Stripe (IE) | Subscription billing | Billing functions are interrupted; the Service itself continues to operate. |
| Cloudflare (US) | Marketing-site CDN | Marketing site degrades to direct origin or is unreachable; reporter and handler portals are not affected (they do not load Cloudflare). |
| AppSignal (NL) | Error and performance monitoring | Loss of telemetry; no customer-facing impact. |
| Crisp (FR) | Handler-portal chat | Loss of in-app chat for handlers; not present on reporter portal, no reporter-side impact. |
Sub-processor outage affecting a covered surface counts against the SLA target.
8. Operator-incapacity protocol #
Current state. A formal operator-incapacity protocol — a named legal contact holding emergency credentials with authority to notify customers and execute a controlled wind-down — is in treatment (see Risk register R-01 ). This section states what is in place today, openly, so that controllers can assess the risk and plan accordingly.
What is in place today:
- Self-service data export. Every organization admin can produce a full PDF case export from within the Service for any case at any time. This does not require operator intervention and continues to function for as long as the Service is reachable. Self-service export is the primary continuity guarantee against operator unavailability.
- Customer rights under the DPA. DPA §6.8 gives the controller the right to receive or delete all personal data on subscription termination. These rights are enforceable independent of the operator’s availability.
- Cloud-hosted infrastructure on standard providers. The Service runs on Hetzner using Kamal deployment configuration that is portable to an alternative operator. A third party with access to the deployment configuration and customer authorization could, in principle, take over operation.
What is not yet in place:
- A named legal contact or law firm holding emergency credentials and notification authority
- A pre-arranged escrow of deployment credentials with a third party
- A pre-arranged customer-notification mechanism that operates without the operator
Planned addition. A formal protocol with a named legal contact and pre-arranged customer-notification authority is on the operator’s roadmap. When in place, this section will be updated to name the contact, the trigger conditions, and the authority granted. The change will be reflected in this plan’s version number and effective date.
Controllers concerned about this gap are encouraged to:
- Take regular self-service exports of active cases for local archival
- Configure organization-admin contacts redundantly (more than one admin per organization)
- Raise the question during procurement review; bespoke arrangements may be available on enterprise terms
This honest disclosure is itself a control: a controller that knows the limit can plan around it. A controller that assumes a protocol exists and discovers later that it does not is materially worse off.
9. Plan testing #
| Test | Cadence | Last performed |
|---|---|---|
| Database restore drill into disposable environment | Quarterly | See Security#backups-and-restore |
| Failover walk-through (paper exercise) | Annual | 2026-05 |
| Sub-processor outage tabletop | Annual | 2026-05 |
| Operator-incapacity tabletop | Deferred pending formal protocol | — |
Test results inform the risk register and any required updates to this plan.
10. Document control #
| Field | Value |
|---|---|
| Document title | EthicsPortal Business Continuity Plan |
| Version | 1.0 |
| Effective date | 2026-05-21 |
| Last reviewed | 2026-05-21 |
| Next scheduled review | 2027-05-21 |
| Review trigger (interim) | Formalization of the operator-incapacity protocol, addition or change of a sub-processor that affects continuity, material restore-drill outcome, material change to the risk register |
| Owner | Yaroslav Shmarov, operator |
| Distribution | Published on ethicsportal.eu/policies/ |
Signed: Yaroslav Shmarov, on behalf of EthicsPortal — 2026-05-21.
Last updated: