Backup + restore · transparente
Backup + restore policy
5 layers backup (PITR continuous · daily · weekly · monthly · client-export) · 8 restore scenarios documentados con tiempos reales · 6 testing schedules trimestrales/anuales · 6 integrity verifications automated. Backups que SE PUEDEN restore · validados.
5 backup layers · defense-in-depth
| Layer | Scope | Cadencia | Retention | Encryption | Offsite |
|---|---|---|---|---|---|
| Supabase Point-In-Time Recovery (PITR) | Full Postgres DB continuous WAL streaming · last 7 días recoverable to any second | Continuous · zero RPO theoretical (1h RPO operational target) | 7 days rolling · enterprise tier extends to 30 días | AES-256 at rest · TLS in transit | Managed Supabase EU regions · zero client-side action |
| Daily full snapshots | Complete DB dump + Cloudflare KV snapshot + R2 buckets + Workers env config | Diario 03:00 UTC · automated cron · zero manual action | 30 días rolling · auto-pruned older | AES-256 per-snapshot envelope encryption · separate key from DB key | Cloudflare R2 EU · cross-account isolation · NOT in DB account |
| Weekly archives | Tagged snapshot deduplicated · metadata schema version · application version · build SHA | Semanal Domingo 03:00 UTC · 1h max | 12 weeks rolling · 90 días total coverage | AES-256 + per-week unique key + envelope wrapping | Cloudflare R2 EU + DigitalOcean Spaces EU duplicado · 2-region durability |
| Monthly long-term archives | Full system state snapshot + audit log immutable + compliance evidence package | Mensual día 1 03:00 UTC · 2h max | 12 months rolling · 1 año total · indefinite for compliance evidence | AES-256 + Shamir secret sharing 3-of-5 backup key envelope | Cloudflare R2 + DigitalOcean Spaces + AWS S3 Glacier EU · 3-region durability |
| Client-self-export (on-demand) | Per-tenant data export JSON/CSV · own clinic data · GDPR Art 20 portability compliant | On-demand via admin dashboard · pre-revenue 2 demo clínicas · monthly auto-snapshot post-tracción | Cliente responsable retention · download link 7 días valid | AES-256 + per-download URL signed token · MFA challenge required | Cliente downloads to own infrastructure · NOT stored permanently AI Empire side post-download |
8 restore scenarios · documented procedures
Accidental row delete (single record)
PITR rewind to pre-delete moment · selective restore via SQL · 5-15 min recovery time · zero data loss
Accidental table truncate
PITR rewind + selective table restore from latest daily snapshot · 30-60 min · max 24h data loss
Full DB corruption
Restore latest daily snapshot to fresh DB instance · DNS swap · 1-3 hours · max 24h data loss (target RPO 1h via incremental)
Region failure (Supabase EU down)
Restore latest daily snapshot to alternate Supabase region (eu-central-1 from eu-west-1) · DNS update · 2-4 hours · max 24h data loss
Ransomware/malicious data corruption
Restore from offsite weekly archive (immutable) · forensic analysis pre-restore · 4-12 hours · max 7d data loss · postmortem mandatory
Per-tenant data restore (client request)
Selective restore per-tenant from PITR or daily snapshot · cross-tenant isolation verified · 1-4 hours · zero other tenant impact
Compliance audit retrieval (years old)
Monthly archive retrieval · key recovery via Shamir 3-of-5 trustees · 24-72h · audit evidence package complete
Complete catastrophic loss (worst case)
Monthly archive AWS S3 Glacier EU restore · key recovery Shamir trustees · 72h+ recovery · max 30d data loss · BCP activation mandatory
Testing schedule · 6 drills activos
| Test | Frecuencia | Last run · resultado | Next run |
|---|---|---|---|
| PITR restore drill (single row) | Mensual | 2026-04-28 · 8min restore time · verified integrity 100% match | 2026-05-28 |
| Daily snapshot restore (full DB) | Trimestral | 2026-04-15 · 2h32min restore time · 100% data integrity verified | 2026-07-15 |
| Weekly archive cross-region restore | Trimestral | 2026-03-20 · 4h restore from R2→DO Spaces · verified | |
| Monthly archive Glacier restore (worst-case) | Semestral | 2026-02-10 · 72h Glacier thaw + restore · documented postmortem | 2026-08-10 |
| Client-self-export end-to-end | Mensual | 2026-05-15 · 2 demo clínicas export verified · download integrity 100% | 2026-06-15 |
| Encryption key recovery (Shamir 3-of-5) | Anual | 2026-01-15 · 5 trustees coordinated · 24h key recovery verified · documented runbook | 2027-01-15 |
Integrity verification · 6 mecanismos
- Cada snapshot · checksum SHA-256 calculado + stored separately · auto-verify durante restore
- Cada restore drill · row-count comparison source vs target · sample data spot-check 1000 rows aleatorios
- Encryption key rotation · backup key envelope re-encrypted · old snapshots still readable via key versioning
- Monthly · automated restore-and-discard drill · 1 random daily snapshot restored to ephemeral DB · integrity verified · ephemeral destroyed
- Audit log immutable backup · cryptographic chain integrity verified · NO retroactive modification possible
- Vendor diversification · 3 cloud providers (Cloudflare R2 + DO Spaces + AWS S3 Glacier) · zero single-vendor catastrophic risk
Pre-revenue reality · scale limits
Monthly archives AWS S3 Glacier >1 año NOT activated yet · pre-revenue cost optimization. Trigger activation: primer cliente Enterprise pagante OR HIPAA/SOX compliance requirement. Pre-trigger: 90 días total coverage (PITR 7d + daily 30d + weekly 12w) which exceeds RGPD historia clínica 5 año requirement via combination Supabase retention extension policies.
Backup costs actuales: ~5€/mes Supabase Pro PITR + ~3€/mes Cloudflare R2 = ~8€/mes total. Scales linear · projection 100 paying clientes ~50€/mes backups acceptable.
¿Tu equipo necesita backup/restore deep-dive?
Para procurement Enterprise · runbook detallado per-scenario · restore drill evidence + sample export disponibles bajo NDA. Útil compliance HIPAA/ISO/SOC2 reviews.