This article brings together common customer questions and practical answers based on typical Secureframe workflows, compliance situations and unique tech stacks.

It is meant as quick reference material for day-to-day use of the product.

Backups and recovery

Do Subcontractors have access to Scoped Systems and Data? (backup vendors, service providers, equipment support maintenance, software maintenance vendors, data recovery vendors, etc.)

• Yes, subcontractors have access as per our vendor management policy in compliance with SOC 2 and ISO 27001 requirements.

How long are system backups retained?

• Typically, 1 year is the best practice, though 30 or 90 days are also common. The retention period can be less than 30 days if documented and justified in the policy.

What data backup options are available for Secureframe?

• Secureframe performs routine backups and retains such backups for a necessary period of time to ensure restoration and access, if relevant.

  Automated backups are stored for 7 days rolling for and indefinitely for manual. We employ cross-availability zone redundancy and our RPO and RTOs are 24 hours and 4 hours, respectively.

What type of evidence to handle Backup restoration?

• You can restore a non-production environment and upload a screenshot of a successful restoration. Production is not required; non-production is fine as long as it wouldn't impact your business.

Continuity and DR planning

Are Disaster Recovery Tabletop exercises required for both Type 1 and Type 2?

• Yes, Disaster Recovery Tabletop exercises are required for both Type 1 and Type 2 audits. If the exercise performed for Type 1 is done within the Type 2 audit window, it can be reused for the Type 2 assessment.

How is a simulation test / tabletop exercise done for the Disaster Recovery Plan?

• We provide scenarios in the templates folder that can be done remotely on a conference call with the appropriate leadership, security, and technical personnel. The scenarios should be completed realistically.

RTO, RPO, and failover

How can I track additional asset fields (e.g., sensitivity classification, support expiration date, RTO) in Secureframe for compliance requirements like NYDFS?

• At this time, Secureframe’s asset inventory does not support adding custom fields directly. As a workaround, you can export your asset inventory from Secureframe and manually add the required attributes (such as sensitivity, expiration date, or RTO) in your own tracking file. This ensures you can still meet regulatory requirements until custom fields are supported in-platform.

How do I choose the right RTO and RPO values for my organization?

• Your RTO and RPO should be based on business impact and what is operationally realistic for your organization. When determining these values, consider:

  Business impact: Potential revenue loss per hour, customer disruption, compliance or regulatory impacts

  System criticality: Whether the system is customer-facing or internal, real-time or batch

  Customer commitments: Any SLAs, contracts, or uptime/availability requirements

  Technical capabilities: Your current backup frequency, DR architecture, failover methods, and cloud region redundancy

  Cost vs. risk: Shorter RTO/RPO values require more investment (e.g., hot failover, continuous replication), so choose values that balance cost with acceptable risk

What do we recommend for RPOs and RTOs for the BCDR template? Specifically for startups?

• RPOs and RTOs can range from 2 hours to 1 day for startups. The chosen time frame should be reasonable for their organization and in line with their operational needs.

What is an RPO (Recovery Point Objective)?

• The Recovery Point Objective (RPO) is the maximum amount of data your organization can afford to lose during an incident, measured as the time between the last successful backup and the disruption.

What is an RTO (Recovery Time Objective)?

• The Recovery Time Objective (RTO) is the maximum amount of time a system or process can be down before it must be restored. It represents how quickly you need to recover after a disruption.

Additional customer questions

What is the purpose of separating pre-production environments from production environments?

• To prevent pre-production environments from introducing risks and vulnerabilities into production environments.

Do you support secure deletion of data and backups?

Customers can delete data within the platform or request Secureframe to delete certain data. Deletion of necessary data may affect platform functionality.