Business Continuity & Disaster Recovery Policy

How Boundless plans for, exercises against and recovers from disruption - RPO/RTO targets per service, alternate sites, and the BCP testing cycle.

Version

v1.0

Effective

22 April 2026

Last reviewed

22 April 2026

Jurisdiction

United Kingdom

Owner

COO

Review cycle

Annual, plus on material change

NIS2 Art. 21(2)(c)ISO 22301:2019

1. RPO / RTO targets#

Service	RPO	RTO
Customer-data plane	15 minutes	1 hour
Provisioning APIs	1 hour	4 hours
Billing	24 hours	24 hours
Audit chain	0 (continuous replication)	1 hour

2. Alternate sites#

Active-active across UK + EEA Cloudflare and Lovable Cloud regions. Carrier core operates from geographically separated cores with sub-second failover.

Named owners, written charters, scheduled reviews, board oversight.

3. Testing cycle#

Tabletop exercise: quarterly.
Component failover test: monthly.
Full-region failover test: every 6 months.
Findings feed the Risk & Compliance Committee.

4. Reference scenarios#

Loss of a single cloud region.
Loss of carrier-core partner for >1 hour.
Targeted DDoS exceeding edge capacity.
Loss of key personnel (CEO/CFO/CISO).
Ransomware on internal systems.

5. Regulatory basis#

NIS2 Art. 21(2)(c), ISO 22301:2019, Telecoms Security Act 2021. Owner: COO.

Version history

Version	Date	Change
v1.0	22 April 2026	Initial publication.

This document is published by Boundless Telecom Ltd and forms part of our public legal posture. It is a living document - we update it as the regulatory environment, our supply chain or our products change. If anything here is unclear or you'd like a counter-signed copy, contact legal@boundless.tel and we'll respond within one working day.