Skip to content

Business Continuity Plan

Breakout Learning Inc.


Purpose

This policy establishes procedures to recover Breakout Learning Inc. following a disruption, in conjunction with the Disaster Recovery Plan.


Policy

Breakout Learning Inc. requires the following for business continuity:

  • A plan and process for business continuity, including the backup and recovery of systems and data, must be defined and documented.
  • The Business Continuity Plan must be simulated and tested at least once a year. Metrics will be measured, and identified recovery enhancements will be documented to improve the process.
  • Security controls and requirements must be maintained at primary and backup sites during all Business Continuity Plan activities.

Roles and Responsibilities

This policy is maintained by the Breakout Learning Inc. CTO. All executive leadership must be informed of any contingency events.

Line of Succession

The following order of succession ensures continuity of decision-making authority for the Business Continuity Plan:

  • CEO: Responsible for personnel safety and execution of the plan.
  • CTO: Responsible for recovery of technical environments.
  • If the CEO or CTO is unavailable, the CCO will assume responsibility or delegate as necessary.

Response Teams and Responsibilities

The following teams are trained to respond to contingency events affecting Breakout Learning Inc. infrastructure and systems:

  • HR Team:
    • Responsible for the physical safety of Breakout Learning Inc. personnel and environmental safety at all locations.
    • Team Leader: Head of HR, reporting to the CEO.
    • Members: Site leads at each physical location.
  • Engineering Team:
    • Responsible for assuring all applications, web services, platforms, and supporting infrastructure in the cloud. Also responsible for testing re-deployments and damage assessments.
    • Team Leader: CTO.
  • Security Team:
    • Responsible for handling cybersecurity incidents per the Incident Response policy. Assists other teams in non-cybersecurity recovery events.
    • Team Leader: CTO.

Note: Members of all teams must maintain local copies of the Business Continuity Plan and the contact information of succession teams in case of internet access disruption during a disaster.


Operational Resilience Strategy

Breakout Learning Inc.’s operational resilience strategies consider acceptable limits regarding the company's risk appetite and tolerance, developed through:

  • Risk Assessment: Identify internal and external threats, particularly related to technology, human resources, facilities, and third parties.
  • Vulnerability Analysis: Identify weaknesses that increase operational disruption risks.
  • Business Impact Analysis (BIA): Determine mission-critical business processes and assess the potential impact if these processes are disrupted.

Business Impact Analysis (BIA)

The BIA includes three main steps to ensure operational resilience and business continuity:

  1. Determine Business Processes and Recovery Criticality:
    Identify business processes supported by the system and assess the impact of a system disruption. Estimate the maximum downtime that can be tolerated.
  2. Identify Resource Requirements:
    Evaluate the resources needed to resume business processes quickly (e.g., facilities, personnel, equipment, data files).
  3. Identify Recovery Priorities:
    Prioritize system resources and establish recovery timelines based on the criticality of mission/business processes.

See Appendix A for a detailed BIA breakdown.


Application Service Event Recovery

Breakout Learning Inc. maintains a status page for real-time updates and information regarding service interruptions or downtime.

Status Page: https://status.breakoutlearning.com


System Description

Our app is a SPA hosted by Firebase hosting. It uses direct connections to firestore and firestore storage to connect the client to the “server”. There is no server we control directly. We use an event system to trigger backend processes where we have a server that is locked within our internal VPC without any direct access from the Internet. These servers are hosted on Google Cloud Run.


Data Collection

Breakout Learning Inc. employs the following data collection methods to assess business continuity requirements, risks, and impacts:

  • System Audits and Logs: Use system audits and logs to analyze historical data, assess system reliability, track recovery times, and monitor system performance during past disruptions. This helps identify weak points and areas for improvement in the current infrastructure.
  • Vendor Assessments: Engage with third-party vendors to ensure they can provide the necessary support and resilience during disruptions or outages. This includes evaluating the vendors' contingency plans, service-level agreements (SLAs), and recovery capabilities to align with Breakout Learning Inc.'s business continuity requirements.
  • Risk Assessments: Leverage regular risk assessments to evaluate threats, vulnerabilities, and the potential impact of disruptions on critical operations. This includes internal and external risk factors that may affect Breakout Learning Inc.’s ability to maintain continuous operations.

Process and System Criticality

  • Outage Impacts:
    Assess the severity of potential impacts if business processes cannot be performed.
  • Estimated Downtime:
    Breakout Learning Inc. considers the following downtime categories:
    • Maximum Tolerable Downtime (MTD): Total time managers are willing to accept for a business process outage.
    • Recovery Time Objective (RTO): Maximum time a system resource can remain unavailable without impacting other resources.
    • Recovery Point Objective (RPO): Defines the point in time to which data must be recovered, based on the most recent backup before an outage.

Resource Requirements and Recovery Priorities

  • Identify Critical Resources:
    Hardware, software, and other resources necessary to support business processes (e.g., redundant equipment).
  • Define Recovery Priorities:
    Establish the order of recovery for critical resources, including alternate strategies like backup equipment or vendor support contracts.

Recovery Procedures

  • Recovery Point Objective (RPO): Data must be recovered to the most recent point in time before the disruption.
  • Recovery Time Objective (RTO): Systems must be restored to operational status within the defined acceptable recovery time.
  • Integrity of Backups: Periodic tests will be conducted to ensure backup integrity and that recovery procedures are effective.

Appendix I: BIA Breakdown

While we do not believe there is a high risk of Google Cloud Platform going out of business, we recognize the possibility of disruptions to our GCP account, such as outages or unauthorized access. Our cloud architecture, defined in Terraform, allows us to redeploy in a new GCP account or another cloud provider with minimal effort. The engineering team has the necessary resources to rebuild the platform within 24 hours. We also maintain regular backups to ensure data integrity and availability in alignment with our RTO and RPO. In case of GCP outages or disruptions, we have contingency contracts in place with other cloud providers.


Revision History

Version

Date

Editor

Approver

Description of Changes

1.1

2024/10/01

Nikita Rogatnev

Joshua Oster-Morris

Standardized role titles across all relevant policies, replacing previous variations

1.0

2024/01/01

Joshua Oster-Morris

Jake Shepherd

Initial version