# Backup & recovery
## What needs backing up
| Surface | Why | Frequency | Retention |
| ---------------------------------- | ---------------------------------------- | --------------------------- | ---------------------------------------------------- |
| PocketBase `pb_data/` | All tenant data (datasets, runs, scores) | Hourly snapshot, daily full | 30 d hourly, 1 y daily |
| `.env` / secrets manifest | Tenant-specific config | On change | Indefinite (in Vault, not in backup) |
| Langfuse Postgres (if self-hosted) | Trace history | Daily | 90 d |
| GHCR images | Release artefacts | On tag | Indefinite (GitHub policy) |
| SBOMs | Compliance attestation | Per release | 90 d (CI artefact) + indefinite (release attachment) |
## Topology
```mermaid
flowchart LR
Edge[Edge pod] -->|writes| PB[(pb_data/)]
PB -->|hourly snap| Local[Local volume snapshot]
PB -->|daily full| Remote[(Off-site bucket
encrypted at rest)]
Local -.->|RPO 1h| Restore[Restore drill]
Remote -.->|RPO 24h| Restore
```
## RPO / RTO targets
| Tier | RPO | RTO |
| ---------------------------------- | ---- | --- |
| Critical (eval runs, datasets) | 1 h | 1 h |
| Non-critical (traces, ai\_reports) | 24 h | 4 h |
## Backup commands (reference)
### restic to S3-compatible target
```bash
restic -r s3:s3.internal.bank/edge-backups \
backup /var/lib/edge/pb_data \
--tag tenant= --tag env=prod
```
### Restore drill
Should be exercised quarterly (drill cadence shared with [Gate 07](/banking-readiness/gate-07-incident-response.md)).
```bash
# 1. Spin a sandbox pod with the same image version
docker run -d --name edge-restore-test \
-v /tmp/restore-target:/app/pocketbase/examples/base/pb_data \
ghcr.io/nkap360-dev/edge-app:vX.Y.Z
# 2. Restore latest snapshot into the sandbox
restic -r s3:... restore latest --target /tmp/restore-target
# 3. Smoke test
curl http://localhost:8080/health
```
Record the drill outcome in `postmortems/YYYY-MM-DD-drill-restore.md`.
## What is **not** backed up
* The Docker image — re-pull from GHCR.
* Build artefacts — re-build from source at tag.
* Tenant LLM provider keys — they live in the bank's Vault, not in Edge.
* Pre-cutover GitLab archive — that's LGT-side responsibility.
## Encryption at rest
| Surface | Mechanism |
| --------------------- | ---------------------------------- |
| Local volume snapshot | Filesystem-level encryption (LUKS) |
| Off-site bucket | KMS, customer-managed key |
| Vault secrets | Vault transit engine |
## Compliance mapping
* ISO 27001 Annex A.8.13 (Information backup).
* DORA Art 11(2)(c) (Operational resilience — backup and restoration testing).
* GDPR Art 5(1)(e) — storage limitation (backup retention bounded).
* GDPR Art 32(1)(c) — ability to restore availability and access in a timely manner.
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.edge.nyami.fr/operations/backup-recovery.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.