Skip to content

Business Continuity & Disaster Recovery

1) Overview

This document summarises how Caribou Digital (UK) Limited and its subsidiaries and affiliates (together, “Caribou”) prepare for, respond to, and recover from disruptive events. It applies to Caribou personnel and to third parties acting for or with us. Where client or legal requirements impose higher standards, the stricter standard applies.

2) Our continuity posture

  • Remote-first, cloud-first: No reliance on a single office; core services run on reputable, high-availability SaaS.
  • Resilience by design: Identity & access with Multi-factor authentication (MFA) and least-privilege; device protection with Endpoint Detection & Response (EDR); encryption in transit/at rest where feasible.
  • Data protection: Versioned backups for critical repositories with periodic restore testing; privacy practices per our Privacy Policy.
  • People resilience: Cross-training, documented procedures, and handover plans to mitigate key-person risk.

3) Critical functions & recovery objectives

We define RTO (maximum acceptable downtime) and RPO (maximum acceptable data loss) by system tier. Detailed system-to-tier mapping is available to clients on request.

4) Incident response & communications

  • Detect & assess → classify severity; implement immediate safety/containment measures.
  • Activate & coordinate → convene response leads; implement workarounds; prioritise Tier 1 services.
  • Notify & update → prompt client notification where there is material impact (aim: initial notice within 4 hours), followed by regular status updates until resolution.
  • Recover & learn → restore services to RTO/RPO targets; run post-incident review and implement improvements.

5) Supplier & platform continuity

  • Risk-based due diligence of critical suppliers (availability posture, incident notice, data location).
  • Contractual expectations for availability, incident notification, and cooperation; alternate channels or providers identified where feasible.

6) Testing & assurance

  • Exercises: periodic table-top scenarios and documented restore tests.
  • Reviews: risk-based and at planned intervals (generally every 24 months) and following material changes or incidents.