Disaster Recovery and Business Continuity Policy

Disaster Recovery (DR) and Business Continuity (BCP) Policy

Document Number POL-GL-COM-DR&BCP-1.0
Target audience IT Ops, DevOps, InfoSec, Infrastrcuture, QE & CRM
Effective Date

Cover page layout

Contents

  • 1. Purpose
  • 2. Scope
  • 3. Definitions
  • 4. Roles and Responsibilities
  • 5. Policy Statement
  • 6. Policy Statements
  • 6.1. Business Impact Analysis (BIA)
  • 6.2. Recovery Objectives
  • 6.3. Backup and Data Protection
  • 6.4. Resilience
  • 6.5. Communication
  • 6.6. Continuous Improvement
  • 7. Triggering BC/DR
  • 8. Insurance
  • 9. Testing and Assurance
  • 10. Contacts
  • 11. Responsibility Matrix
  • 12. Any References
  • 13. Related documents
  • 14. Policy Exceptions
  • 15. Policy Enforcement
  • 16. Policy Monitoring
  • 17. Awareness & Communication
  • 18. Version History

Purpose

This Policy establishes LEAP's commitment to maintaining business continuity and recovering critical information and communications technology (ICT) systems following a disruptive event. It defines the principles, obligations, and governance requirements that underpin LEAP's Business Continuity Management System.

Scope

This document applies to Legal Software Holdings Pty Ltd and wholly owned subsidiaries ("LEAP") where IT Ops, DevOps, Infrastructure, CRM and Cybersecurity centrally manage critical systems (e.g., AWS, Azure/Entra ID, CrowdStrike, Intune, Atlassian, Office 365). It covers:

  • LEAP Cloud product infrastructure on AWS (EC2/ECS, ALB, RDS/SQL, DynamoDB, S3, OpenSearch)
  • Business systems (e.g., Office 365, Azure AD/Entra ID, Atlassian, Slack)
  • Key supporting platforms (e.g., LEAPAuth, CI/CD, backups, logging/monitoring)
  • Third-party vendors and suppliers that provide services critical to LEAP's operations
  • All LEAP employees, contractors, and third parties who manage or operate in-scope systems

Definitions

Term Definition
Business Continuity (BC) The capability to maintain essential business functions during and after a disruption.
Disaster Recovery (DR) The technology-focused restoration of systems, data, and infrastructure after a disruption.
RTO : Recovery Time Objective Maximum acceptable time a service can be unavailable before recovery must be complete.
RPO : Recovery Point Objective Maximum acceptable amount of data loss, measured in time, that LEAP can tolerate.
BIA : Business Impact Analysis Assessment of criticality and time-sensitivity of business processes and the systems that support them.
Tabletop Exercise A scenario-based facilitated discussion used to validate plans, roles, and decision-making without disrupting live systems.
IC : Incident Commander/CISO The designated individual responsible for coordinating response activities during a declared incident.

Roles and Responsibilities

Role Responsibility
Executive Sponsor CEO/COO Ultimate accountability, receives executive briefings during major incidents.
Accountable Owner CISO Policy ownership, annual review, testing cadence, and board-level reporting.
Technical Owners DevOps, InfoSec,DevSecOps and Infrastructure LEAP Cloud AWS infrastructure DR, runbook ownership and execution.
IT Operations Office 365/Entra ID backup and restore, end-user continuity.
Application Owners Service-specific DR runbooks, escalation contacts for their platforms.
GRC Maintains this policy, coordinates testing programme, manages exception register, and reports compliance

Policy Statement

LEAP is committed to ensuring the continued availability, integrity, and confidentiality of information and systems that are critical to its operations and to its customers. LEAP shall:

  • Maintain a documented and actively governed Business Continuity Management System (BCMS)
  • Identify, assess, and document the business impact of disruption to critical processes and systems through a formal BIA process
  • Define and maintain approved RTO and RPO targets for all critical systems, documented in the BIA
  • Implement technical and organisational controls to support recovery within approved targets
  • Test recovery capability at least annually and after significant change
  • Communicate clearly and promptly with staff, customers, and regulators during and after disruptive events
  • Continuously improve the BCMS based on lessons learned from tests, incidents, and audits

Policy Principles

Business Impact Analysis (BIA)

LEAP shall maintain a current Business Impact Analysis that identifies all critical business processes and supporting systems, assesses the impact of disruption across financial, operational, regulatory, and reputational dimensions, and documents management-approved RTO and RPO targets. The BIA shall be reviewed at minimum annually and following any significant change to systems, processes, or the threat environment

Recovery Objectives

RTO and RPO targets shall be defined in the BIA for all systems classified as Critical or High. Targets shall be set based on business need, technical feasibility, and cost, and must be formally approved by the DR/BCP Steering Group. The Policy does not prescribe specific values --- those are the responsibility of the BIA process.

Backup and Data Protection

Critical systems must have documented, tested backup and restore procedures with retention periods that meet business, contractual, and legal requirements. Backup integrity must be verified through regular automated checks and periodic manual restore tests. Backup procedures must support the RPO targets defined in the BIA.

Resilience

Production architecture must employ redundancy and fault tolerance appropriate to the criticality of each service, as determined by the BIA. All significant infrastructure changes must include a DR impact assessment prior to deployment. Single points of failure identified in the BIA must be tracked and remediated through the risk register

Communication

Channel Audience Owner
Slack #general (broadcast) All LEAP staff company-wide updates CISO
Slack #incident-<date> (working channel) Technical and operational responders CISO
Email / SMS On-call staff and domain owners (secondary) DevOps / IT On-call
Status page + email distribution list External customers and partners Customer Success
Legal / Regulatory notification Regulators, contractual counterparties Legal / CISO

Continuous Improvement

Lessons learned from tests, incidents, audits, and PIRs must be fed back into the BCMS. The risk register and BIA shall be updated following any significant event or exercise finding. Action items must be tracked to closure and reported to the DR/BCP Steering Group

Triggering BC/DR

BC/DR is formally activated when an incident or external event threatens to breach approved RTO or RPO targets, or materially impacts the safety of personnel, access to facilities, critical vendor services, or regulatory obligations. Examples include:

  • A production outage, data corruption, or confirmed security incident (including ransomware)
  • Loss of or inability to access primary office facilities
  • A cloud region or critical service disruption affecting core business functions
  • Extended unavailability of a critical vendor platform (identity, email, backup, monitoring)
  • A natural disaster, pandemic, or civil event materially affecting LEAP operations

Insurance

Insurance is an important part of LEAP's Risk Management plan to reduce the impact of an event or disaster.

Insurance Type Policy Coverage Insurance Company
ATI Global Limited Cyber, IT, Professional Indemnity and General Liability Chubb Insurance Australia Limited

The CFO has responsibility for LEAP Dev's insurance policies and any claims that need to be made, as well as ensuring that we have sufficient coverage in the event of significant disruption

Testing and Assurance

Test Type Frequency Scope Output
Annual DR Exercise At least once per year Core services, must include a regional disruption or major datastore scenario Test report with RTO/RPO achieved and action items

Contacts

Title Name Mobile Email Role
CEO, LEAP Dev Vahdat Dastpak +61 431 337 590 vahdat.dastpak@leapdev.io Authority to make a statement to the media on behalf of LEAP and to contact next of kin. Key development team remote availability and readiness
CISO Gavin Smith +61 434 835 430 gavin.smith@leapdev.io Coordinate IT staff and contact point for all IT and InfoSec services
CIO Chris Chahinian +61 402 342 659 chris.chahinian@leapdev.io Coordinate Business Systems staff and act as a backup contact point for all IT services
COO Nik Samuelson +61 411 511 097 nik.samuelson@leaplegalsoftware.com Coordinate finance team Crisis Communications
Chief People Officer (LEAP Global) Christine Ivanko +61 436 692 335 christine.ivankovic@leaplegalsoftware.com Key liaison between People and Communications Team Internal LEAP communications Back-up Spokesperson
Head of Legal, Software Group Naomi Saba +61 420 100 900 naomi.saba@ati-global.com Providing expert advice on matters of Law in a range of situations.
Marketing Manager (LEAP Global) Evett Baranov +61 424 111 095 evett.baranov@leaplegalsoftware.com Contact for social media channels and key media liaison
Marketing Manager (LEAP Australia) Jacqui Lillyman +61 466 584 839 jacqui.lillyman@leap.com.au Contact for social media channels and key media liaison

Responsibility Matrix

Asset / Environment Backup/DR Responsibility Business Owner Technical Lead
LEAP Cloud AWS (Core) DevOps Team Vahdat Dastpak Paul Kimber
Office 365 / Entra ID IT Ops Team (CloudAlly) Chris Chahinian Sandra Menares
Atlassian (Jira/Bitbucket) IT/DevOps (GitProtect/GitRestore) Vahdat Dastpak Paul Kimber
Cybersecurity Technologies CISO / InfoSec Team Gavin Smith Nathan Miller
LEAPAuth / Identity Platform DevSecOps Team Vahdat Dastpak Paul Kimber

Any References

  • ISO/IEC 27001:2022

Related documents

  • Incident Management Policy
  • Information Security Policy
  • Business Impact Analysis
  • DR/BCP Standard Operating Procedures

Policy Exceptions

Exceptions in this policy will be risk-assessed by CISO with valid business justification and Policy Owner's approval. Exceptions will be time bound.

Policy Enforcement

Any LEAP employee, contractor, third-party found to have violated any part of this policy may be subject to P&C disciplinary action, up to and including termination of employment.

Policy Monitoring

Compliance with this policy will be monitored through periodic reviews, audits, and management oversight.

Awareness & Communication

This policy is an organisational record. A copy of LEAP security policies is made available to all staff/business units currently employed, or when they join LEAP. Employees requiring further information on any aspects of this Policy should discuss their needs with Trust at LEAP Legal Software trust@leaplegalsoftware.com. Any changes or updates to the policy are immediately communicated to Team Governance, Risk and Compliance (GRC).

Version History

Version Number Date Section Changes Author Approver
1.0 <<enter date>> Initial Release Manager of GRC CISO