This policy applies to databases and secure files (e.g. Word documents, PDFs, etc.) uploaded to CareHQ.
All production databases run a 3 node replica set (or greater), ensuring continuous availability and redundancy. This protects against single-server failure by automatically promoting a secondary server in the event that the primary server is unavailable.
Snapshots of databases are taken every hour and retained for a period of 48 hours. These snapshots are stored on a separate server and ISP to mitigate provider-level risks.
Full server and database snapshots are taken daily and retained for 30 days. These snapshots are stored in Amazon S3.
Clients using accounting periods with CareHQ have an additional database snapshot taken when they close an accounting period (typically monthly). These snapshots are retained for up to 10 years and are stored on Amazon S3.
Secure files (e.g. Word documents, PDFs, etc.) uploaded to CareHQ are stored in S3. A separate S3 bucket in a different region with versioning enabled is used to provide a real-time backup. Versioning ensures deleted files are not automatically deleted, only marked as deleted and can still be restored. Documents marked as deleted are deleted from the backup 365 days after being marked as deleted.
In the event of a major incident our target is to restore service within 4 hours. Outside of our hours of operation our target is 8 hours.
Database backups can be recovered to within one hour of an incident. File data can be recovered to a previous version using S3 versioning.
This policy is designed to support compliance with common data protection and business continuity practices.
Backup and restore processes are regularly tested to ensure they are reliable. Backups are logged and failures are automatically flagged and investigated.
Customers are responsible for ensuring that their own retention requirements are met.
CareHQ will support data recovery in line with this policy and the defined RTO/RPO objectives.