ISO-12: Backup and Recovery Compliance
ISO-12: Backup and Recovery Compliance
Release: v1.0.402 Framework: ISO 27001 — Control ISO-12
This post details the backup and recovery controls introduced to bring the platform into compliance with ISO 27001 Control ISO-12 and HMRC's 7-year financial data retention requirements.
Background
The platform stores sensitive financial data — including HMRC submission records, transaction histories, and taxpayer income figures — in a Neon Postgres database. While Neon provides point-in-time recovery (PITR) at the infrastructure level, the absence of an explicit backup strategy, documented RPO/RTO targets, and a tested recovery procedure represented a significant compliance gap for a platform operating under the Making Tax Digital (MTD) ITSA mandate.
ISO 27001 Control ISO-12 requires organisations to protect information against loss of availability and ensure that backup copies of information, software, and system images are taken and tested regularly. For financial records, HMRC requires data to be retained for a minimum of 7 years.
What Changed
1. Documented Backup Strategy
A formal backup and recovery strategy has been documented, covering:
- Neon PITR configuration — Retention window settings and how PITR is used as the primary recovery mechanism.
- Branch strategy — How Neon's branching capability is used to support isolated test restores without affecting production data.
- Neon plan tier — Confirmation that the active Neon plan tier satisfies the 7-year retention requirement for HMRC financial records.
2. RPO and RTO Targets
| Target | Value |
|---|---|
| Recovery Point Objective (RPO) | < 1 hour |
| Recovery Time Objective (RTO) | < 4 hours |
These targets define the maximum acceptable data loss and maximum acceptable downtime in the event of a database incident, and are now formally referenced in platform operations documentation.
3. Recovery Procedures
Step-by-step recovery procedures have been documented covering:
- Identifying the target restore point within the Neon PITR window.
- Initiating a restore to a Neon branch.
- Validating data integrity via row count checks before promoting the branch to production.
- Communication and escalation steps during a recovery event.
4. Automated Weekly Backup Verification
A new Inngest scheduled function runs weekly to provide ongoing assurance that backups are actually recoverable:
- Test restore — Triggers a Neon branch restore from the most recent PITR snapshot.
- Row count validation — Queries key financial tables (submissions, transactions, taxpayer records) and compares counts against production.
- Alert on failure — Raises an alert if the restore fails or row counts fall outside expected bounds.
- Audit log — Records the verification result to the platform audit trail for compliance reporting.
This automated check replaces the need for manual backup testing and provides a verifiable record of backup health.
Compliance Mapping
| Requirement | Control | Status |
|---|---|---|
| Backup configuration documented | ISO 27001 ISO-12 | ✅ Met |
| RPO target defined | ISO 27001 ISO-12 | ✅ Met |
| RTO target defined | ISO 27001 ISO-12 | ✅ Met |
| Recovery procedure documented | ISO 27001 ISO-12 | ✅ Met |
| Backup verification tested regularly | ISO 27001 ISO-12 | ✅ Met |
| 7-year financial data retention | HMRC MTD ITSA | ✅ Met |
Why This Matters
For landlords and self-employed taxpayers relying on this platform to meet their MTD ITSA obligations, the integrity and availability of submitted tax data is non-negotiable. A loss of submission records, transaction history, or HMRC authorisation tokens could result in:
- Inability to file quarterly updates on time, triggering HMRC penalties.
- Loss of historical records required for HMRC enquiries up to 7 years after submission.
- Breach of HMRC's data handling requirements for MTD-compatible software.
The controls introduced in this release ensure that recovery from any database incident can be achieved within defined, tested time bounds, and that the platform's backup posture is continuously verified rather than assumed.