| Document Number | POL-GL-COM-DR&BCP-1.0 |
| Target audience | IT Ops, DevOps, InfoSec, Infrastrcuture, QE & CRM |
| Effective Date |
Cover page layout
This Policy establishes LEAP's commitment to maintaining business continuity and recovering critical information and communications technology (ICT) systems following a disruptive event. It defines the principles, obligations, and governance requirements that underpin LEAP's Business Continuity Management System.
This document applies to Legal Software Holdings Pty Ltd and wholly owned subsidiaries ("LEAP") where IT Ops, DevOps, Infrastructure, CRM and Cybersecurity centrally manage critical systems (e.g., AWS, Azure/Entra ID, CrowdStrike, Intune, Atlassian, Office 365). It covers:
| Term | Definition |
|---|---|
| Business Continuity (BC) | The capability to maintain essential business functions during and after a disruption. |
| Disaster Recovery (DR) | The technology-focused restoration of systems, data, and infrastructure after a disruption. |
| RTO : Recovery Time Objective | Maximum acceptable time a service can be unavailable before recovery must be complete. |
| RPO : Recovery Point Objective | Maximum acceptable amount of data loss, measured in time, that LEAP can tolerate. |
| BIA : Business Impact Analysis | Assessment of criticality and time-sensitivity of business processes and the systems that support them. |
| Tabletop Exercise | A scenario-based facilitated discussion used to validate plans, roles, and decision-making without disrupting live systems. |
| IC : Incident Commander/CISO | The designated individual responsible for coordinating response activities during a declared incident. |
| Role | Responsibility |
|---|---|
| Executive Sponsor CEO/COO | Ultimate accountability, receives executive briefings during major incidents. |
| Accountable Owner CISO | Policy ownership, annual review, testing cadence, and board-level reporting. |
| Technical Owners DevOps, InfoSec,DevSecOps and Infrastructure | LEAP Cloud AWS infrastructure DR, runbook ownership and execution. |
| IT Operations | Office 365/Entra ID backup and restore, end-user continuity. |
| Application Owners | Service-specific DR runbooks, escalation contacts for their platforms. |
| GRC | Maintains this policy, coordinates testing programme, manages exception register, and reports compliance |
LEAP is committed to ensuring the continued availability, integrity, and confidentiality of information and systems that are critical to its operations and to its customers. LEAP shall:
LEAP shall maintain a current Business Impact Analysis that identifies all critical business processes and supporting systems, assesses the impact of disruption across financial, operational, regulatory, and reputational dimensions, and documents management-approved RTO and RPO targets. The BIA shall be reviewed at minimum annually and following any significant change to systems, processes, or the threat environment
RTO and RPO targets shall be defined in the BIA for all systems classified as Critical or High. Targets shall be set based on business need, technical feasibility, and cost, and must be formally approved by the DR/BCP Steering Group. The Policy does not prescribe specific values --- those are the responsibility of the BIA process.
Critical systems must have documented, tested backup and restore procedures with retention periods that meet business, contractual, and legal requirements. Backup integrity must be verified through regular automated checks and periodic manual restore tests. Backup procedures must support the RPO targets defined in the BIA.
Production architecture must employ redundancy and fault tolerance appropriate to the criticality of each service, as determined by the BIA. All significant infrastructure changes must include a DR impact assessment prior to deployment. Single points of failure identified in the BIA must be tracked and remediated through the risk register
| Channel | Audience | Owner |
|---|---|---|
| Slack #general (broadcast) | All LEAP staff company-wide updates | CISO |
| Slack #incident-<date> (working channel) | Technical and operational responders | CISO |
| Email / SMS | On-call staff and domain owners (secondary) | DevOps / IT On-call |
| Status page + email distribution list | External customers and partners | Customer Success |
| Legal / Regulatory notification | Regulators, contractual counterparties | Legal / CISO |
Lessons learned from tests, incidents, audits, and PIRs must be fed back into the BCMS. The risk register and BIA shall be updated following any significant event or exercise finding. Action items must be tracked to closure and reported to the DR/BCP Steering Group
BC/DR is formally activated when an incident or external event threatens to breach approved RTO or RPO targets, or materially impacts the safety of personnel, access to facilities, critical vendor services, or regulatory obligations. Examples include:
Insurance is an important part of LEAP's Risk Management plan to reduce the impact of an event or disaster.
| Insurance Type | Policy Coverage | Insurance Company |
|---|---|---|
| ATI Global Limited | Cyber, IT, Professional Indemnity and General Liability | Chubb Insurance Australia Limited |
The CFO has responsibility for LEAP Dev's insurance policies and any claims that need to be made, as well as ensuring that we have sufficient coverage in the event of significant disruption
| Test Type | Frequency | Scope | Output |
|---|---|---|---|
| Annual DR Exercise | At least once per year | Core services, must include a regional disruption or major datastore scenario | Test report with RTO/RPO achieved and action items |
| Title | Name | Mobile | Role | |
|---|---|---|---|---|
| CEO, LEAP Dev | Vahdat Dastpak | +61 431 337 590 | vahdat.dastpak@leapdev.io | Authority to make a statement to the media on behalf of LEAP and to contact next of kin. Key development team remote availability and readiness |
| CISO | Gavin Smith | +61 434 835 430 | gavin.smith@leapdev.io | Coordinate IT staff and contact point for all IT and InfoSec services |
| CIO | Chris Chahinian | +61 402 342 659 | chris.chahinian@leapdev.io | Coordinate Business Systems staff and act as a backup contact point for all IT services |
| COO | Nik Samuelson | +61 411 511 097 | nik.samuelson@leaplegalsoftware.com | Coordinate finance team Crisis Communications |
| Chief People Officer (LEAP Global) | Christine Ivanko | +61 436 692 335 | christine.ivankovic@leaplegalsoftware.com | Key liaison between People and Communications Team Internal LEAP communications Back-up Spokesperson |
| Head of Legal, Software Group | Naomi Saba | +61 420 100 900 | naomi.saba@ati-global.com | Providing expert advice on matters of Law in a range of situations. |
| Marketing Manager (LEAP Global) | Evett Baranov | +61 424 111 095 | evett.baranov@leaplegalsoftware.com | Contact for social media channels and key media liaison |
| Marketing Manager (LEAP Australia) | Jacqui Lillyman | +61 466 584 839 | jacqui.lillyman@leap.com.au | Contact for social media channels and key media liaison |
| Asset / Environment | Backup/DR Responsibility | Business Owner | Technical Lead |
|---|---|---|---|
| LEAP Cloud AWS (Core) | DevOps Team | Vahdat Dastpak | Paul Kimber |
| Office 365 / Entra ID | IT Ops Team (CloudAlly) | Chris Chahinian | Sandra Menares |
| Atlassian (Jira/Bitbucket) | IT/DevOps (GitProtect/GitRestore) | Vahdat Dastpak | Paul Kimber |
| Cybersecurity Technologies | CISO / InfoSec Team | Gavin Smith | Nathan Miller |
| LEAPAuth / Identity Platform | DevSecOps Team | Vahdat Dastpak | Paul Kimber |
Exceptions in this policy will be risk-assessed by CISO with valid business justification and Policy Owner's approval. Exceptions will be time bound.
Any LEAP employee, contractor, third-party found to have violated any part of this policy may be subject to P&C disciplinary action, up to and including termination of employment.
Compliance with this policy will be monitored through periodic reviews, audits, and management oversight.
This policy is an organisational record. A copy of LEAP security policies is made available to all staff/business units currently employed, or when they join LEAP. Employees requiring further information on any aspects of this Policy should discuss their needs with Trust at LEAP Legal Software trust@leaplegalsoftware.com. Any changes or updates to the policy are immediately communicated to Team Governance, Risk and Compliance (GRC).
| Version Number | Date | Section Changes | Author | Approver |
|---|---|---|---|---|
| 1.0 | <<enter date>> | Initial Release | Manager of GRC | CISO |