I'm looking for recommendations on the components of a well-formed disaster recovery clause. I have a few examples, and from what I can tell the more complete ones have the following provisions/requirements:
Does the above look correct? Does anyone specify RPO and RTO in their DR clause?Joe
Here are the components that we would like to see written into the clause:
An example clause:
Business Resumption & Contingency Plans:
Here's another version I found online which seems pretty good, as well:
Business Continuity Plans. [PARTY A] shall maintain a business continuity plan for each [DELIVERABLE], describing measures [PARTY A] will implement to recover from a Disaster.Disaster Recovery Plans. [PARTY A] shall include in each business continuity plan a plan for the recovery of critical technology systems, and procedures for restoring business operations at the primary location or at a designated recovery site for those critical technology systems, if necessary.Backup Facility. [PARTY A] will maintain disaster recovery services at a dedicated facility which is equipped to handle data center processing in the event disaster recovery is needed.Testing. [PARTY A] will test its disaster recovery capabilities at least once per calendar year and provide the results of each such test to [PARTY B].Notification of Events. [PARTY A] will notify [PARTY B] within one (1) hour of an event occurring that will likely result in service interruption in excess of forty-eight (48) hours. Following such a communication, [PARTY A] will provide updates on an hourly basis as to whether or not a disaster will be declared.Offsite Storage. [PARTY A] will provide off-site storage for [PARTY B]'s data files so that they can be reconstructed in the event of loss or destruction of [PARTY B]'s processing files at [PARTY A]'s backup facility.Backup Facility Agreements and Security. Throughout the term of this Agreement, [PARTY A] shall maintain in effect contracts and/or arrangements which are substantially equivalent to those that are currently in effect. [PARTY A] shall ensure that all data processors shall comply with no less than the security and data protection standards in this agreement.