Data Protection

Every service which is part of the application catalog has data protection features. This means that the system takes care of creating regular backups and provides means to restore from a backup.

Recovery Point Objective (RPO)

Scheduled is at least one backup every 24h. Handling of failed scheduled backups are subject to the SLA. The time of backup can be at a random time of day and is not customizable.

Recovery point objective (RPO) is defined as the maximum amount of data – as measured by time – that can be lost after a recovery from a disaster, failure, or comparable event before data loss will exceed what is acceptable to an organization. An RPO determines the maximum age of the data or files in backup storage needed to be able to meet the objective specified by the RPO, should a network or computer system failure occur.

— - Glossary

Recovery Time Objective (RTO)

We currently do not provide any guarantees, as it highly depends on the service and the amount of data to be restored.

The recovery time objective (RTO) is the maximum acceptable time that an application, computer, network, or system can be down after an unexpected disaster, failure, or comparable event takes place. RTO captures the maximum allowable time between restoration of normal service levels and resumption of typical operations and the unexpected failure or disaster. RTO defines a turning point, after which time the consequences of interruption from a disaster or failure become unacceptable.

— - Glossary


No additional costs occur for this service, it’s integral part of the service offering. Allthough the service consumer can be charged additionally for every compute and storage resource (including temporary) that the backup itself consumes on a pay-per-use basis. This cost may differ from service to service and depends on the infrastructure the service is running on.

Backup process monitoring

The backup process is monitored and acted upon, as defined in the SLA.

Backup data location

The backup snapshots are stored on the same cloud provider and region where the service instance is provisioned on.

Backup data encryption

Data is encrypted before being sent to the backup location. Transfer of data happens over a TLS encrypted and authenticated connection.

Content of the Backup data

Each snapshot is able to restore the full data of a service instance.

Backup retention policy

  • The last 5 most recent snapshots are never deleted.

  • Keep the last snapshot for each day for the last 7 days.

  • Keep the last snapshot for each week for the last 2 weeks.

  • Keep the last snapshot for each month for the last 3 months.

When a service instance is deleted, all backups are deleted as well.

Backup process

A backup usually does not cause a general service connection interruption. However, there may be performance impacts with nondeterministic duration.

Restore trigger

A data restore currently has to be requested via VSHN Support.

Restore process

During the duration of the restore process the service will have reduced availability or may be completely unavailable. Depending on the nature of the service, clients of the service will need to reconnect after the restore, which may involve re-resolving the service name via DNS lookup. Depending on the client implementation this may require restarting the client.


The backup process is operated and orchestrated by K8up with Restic as the low-level backup tool. Depending on the service, specific tools are used to ensure data integrity (e.g. database dumps instead of plain file backup).


Currently no customization of the backup process is possible. The backup process is enabled by default, but can be disabled per service instance. Once disabled, we don’t guarantee any data safety.


The backup process is not meant for disaster recovery, but to protect from accidental data loss like a bug, a cyberattack, user error or data corruption.