Business Continuity & Disaster Recovery – FAQ

1. Where is iWoWSoft HRMS hosted?

Our HRMS production systems are hosted in IPServerOne’s CJ1 Tier III data centre in Cyberjaya, Malaysia.
We also maintain an alternative server in our office that can be used as a recovery environment if the primary hardware cannot be repaired or replaced within a reasonable timeframe.

2. Do you have a formal Business Continuity & Disaster Recovery (BC/DR) plan?

Yes. iWoWSoft maintains a documented Business Continuity & Disaster Recovery plan that covers:

• Hosting and data centre arrangements
• Backup and retention strategy
• Recovery Time Objective (RTO) and Recovery Point Objective (RPO)
• DR invocation criteria and restore options
• Incident communication and BC/DR testing

This FAQ is a summary. A more detailed BC/DR Plan (Customer Summary) is available in our knowledge base or on request.

3. How often is our data backed up, and where are backups stored?

We perform daily backups of the production database and store them in multiple locations:

• On the production server in the data centre
• On NAS (Synology) storage within the data centre
• Copies are securely transferred to our office and then stored on offline media (offline/off-site copy)

Because backup files are large, the transfer from data centre to office can take longer than one day; our recovery planning and worst-case RPO take this into account.

4. How long do you retain backups?

We keep:

• Daily backup copies for at least 20 days, and
• At least one monthly backup copy for longer-term reference (e.g. to investigate historical changes in previous months).

5. What are your RTO and RPO for the HRMS?

Under normal conditions:

• Typical RTO (Recovery Time Objective):
  Up to 1 business day to restore service for the HRMS application and database.
• Typical RPO (Recovery Point Objective):
  • In many incidents (e.g. hardware swap, network issue), no data loss occurs because we do not restore from backup (RPO ≈ 0).
  • In incidents where we must restore from backup (e.g. unrecoverable corruption), maximum typical data loss is up to 1 day due to daily backups.

In an extreme worst-case scenario where all online copies in the data centre are destroyed and we must rely solely on offline copies stored at our office, the maximum potential data loss (RPO) could be up to 7 days.

6. Does every outage cause data loss?

No. Many outages do not result in data loss.

Examples where we typically see no data loss:

• Network / upstream provider issue (e.g. routing or CDN problem) where the database remains healthy.
• Hardware component failure (e.g. memory) where data on disk is intact and we wait for replacement parts.

In such cases we do not restore from an older backup, because that would roll data backwards unnecessarily. Instead, we:

• Preserve the current, accurate data in the data centre
• Focus on restoring access (connectivity or hardware) as quickly as possible

Data loss only occurs when we must restore from an older backup (e.g. severe corruption or destructive storage failure).

7. When do you actually invoke Disaster Recovery (DR)?

We consider full DR (restoring from DR/offline backups or switching to the office recovery server) when:

• The primary data centre cannot be recovered within a reasonable timeframe, or
• The primary data set has been destroyed or irreversibly compromised (e.g. destructive attack, catastrophic failure).

We do not invoke DR solely because of:

• Temporary network or upstream provider outages, or
• Hardware issues where data remains intact

In those cases, triggering DR from a stale backup would create avoidable data loss and reconciliation problems, so we prioritise restoring access to the current data.

8. How often do you test BC/DR?

We aim to perform at least one technical BC/DR test each year, typically in June.

Tests may include:

• Technical restore exercises – restoring database backups to an alternative environment and validating application functionality
• Tabletop exercises – walkthroughs of incident scenarios, roles and communication

We maintain internal records for each test (scope, steps, timings, issues, follow-ups).
A high-level summary of recent BC/DR tests can be shared with customers on request.

9. Are you ISO 27001 / SOC 2 certified?

• iWoWSoft as an organisation:
  We do not currently hold our own ISO 27001 or SOC 2 certification.
• Data centre / hosting provider (IPServerOne):
  
  IPServerOne’s Malaysian data centres and cloud infrastructure, including CJ1, maintain multiple certifications at the provider / data centre level, such as:
  • Tier III data centre classification
  • ISO 27001 / ISO 27017
  • PCI-DSS (for relevant services)
  • SOC 2 Type II

We build our HRMS platform on top of this certified infrastructure and implement our own application-level security, backup and operational controls.

Copies or summaries of relevant data centre certificates can be provided on request, subject to any conditions imposed by the provider.

10. How will we be notified in case of a major outage or incident?

For major incidents that materially affect availability or data:

• We notify affected customers via email, integrated with our ticketing system.
• Each affected customer receives a ticket where updates and closure information are tracked.
• Our support team manages customer-facing communication, and our technical team handles investigation and recovery.

Customers can also contact our support team through the usual channels if they have questions during or after an incident.

11. Can we get a copy of your full BC/DR plan or test reports?

We provide:

• This BC/DR FAQ for quick reference
• A more detailed Business Continuity & Disaster Recovery Plan (Customer Summary) on our knowledge base or on request
• A high-level summary of recent BC/DR tests, on request, subject to confidentiality and NDA where applicable

Internal runbooks, detailed infrastructure diagrams and full test artefacts are not shared externally for security reasons.