🔙 Backups
How we back up your data, how often,and how we verify that restoration reliably works.
Backups
How we back up your data, how often, and how we verify that restoration works.
Why backups matter
Data loss can happen for many reasons -- hardware failure, software bugs, human error, or security incidents. A solid backup strategy ensures that your data can be recovered quickly and completely, no matter what happens.
As part of our ISO 27001 certified information security management system (ISMS), backups are a core control. Our backup policy (aligned with ISO 27001 Annex A Control 8.13) requires that backup copies of information, software, and systems are maintained and regularly tested.
What we back up
tchop runs on a 100% cloud-based infrastructure with all servers hosted by AWS or Hetzner (you can choose as a client). We back up the following data assets:
Databases - all production databases are backed up via automated snapshots
Media and files - all user-uploaded content (images, videos, documents) is covered by object storage durability and versioning
Code repositories - source code is backed up independently from production data
Configuration and infrastructure - server configurations and infrastructure-as-code definitions are version-controlled and backed up
Backup frequency and retention
Data asset | Backup method | Frequency | Retention |
|---|---|---|---|
Production databases | Automated snapshots | Daily | 30 days |
Media / file storage | Object storage versioning | Continuous | Per policy |
Code repositories | Git-based + offsite backup | Continuous | Indefinite |
Server configurations | Version-controlled | On change | Indefinite |
Automated database snapshots run daily without any downtime or performance impact on the live system. Point-in-time recovery is available for database instances, allowing restoration to any second within the retention window.
Encryption and security
All backups follow the same security standards as production data:
Encrypted at rest - backups are encrypted using AES-256 encryption, the same standard applied to all production data
Access restrictions - only authorised personnel (lead backend developers and the Information Security Officer) can access or restore backups
Separate storage locations - backups are stored in physically separate locations from the production environment (offsite backups)
Audit trail - all backup and restoration activities are logged
Backup restoration testing
We do not just create backups - we regularly verify that they work. Our backup restoration test is performed annually as part of our ISMS and is documented with full version history.
The test procedure:
Select the latest automated production database snapshot
Restore it to a separate, non-production database instance
Verify that the restored data is complete and consistent
Document the results, including any issues encountered
The test is authorised by the Information Security Officer
We have successfully completed and documented restoration tests every year since 2022, with the most recent test completed in September 2025.
A detailed step-by-step restoration procedure is maintained internally so that any authorised team member can perform a recovery if needed.
Recovery objectives
Our backup strategy is designed to meet the following objectives:
Recovery Point Objective (RPO) - maximum data loss of 24 hours for database data (daily snapshots), near-zero for file storage (continuous versioning)
Recovery Time Objective (RTO) - database restoration from snapshot typically completes within 1-2 hours, depending on database size
These objectives are reviewed as part of our regular ISMS reviews and adjusted based on business requirements.
Hosting and data residency
tchop operates on cloud infrastructure with all servers located in Germany. For organisations with strict data residency requirements, we also offer hosting on Hetzner, providing a fully EU-sovereign option where all data and backups remain within the EU.
Regardless of hosting environment, the same backup standards, encryption, and restoration procedures apply.
What this means for your organisation
Compliance - documented backup and restoration procedures support GDPR, ISO 27001, and industry-specific requirements
Procurement - backup policies and test reports are available for IT security reviews on request
Business continuity - your platform data is protected against loss with tested recovery procedures
Transparency - we can provide details on backup frequency, retention, and restoration testing for your security questionnaires
Summary
All production databases are backed up daily via automated snapshots with 30-day retention
Point-in-time recovery is available for databases
Media and files benefit from object storage durability and versioning
All backups are encrypted at rest using AES-256
Backup access is restricted to authorised personnel only
Backups are stored in separate, offsite locations
Backup restoration is tested annually with documented results (last test: September 2025)
All data and backups remain in Germany, with optional EU-sovereign hosting on Hetzner
These measures are part of our ISO 27001 certified ISMS, audited by TUeV Sued
Need details for a security questionnaire or compliance review? Reach out to us at support@tchop.io.
