Backup strategy
myflow takes near-hourly snapshots of all production databases. Snapshots capture the entire dataset at a consistent point in time. Object storage (uploaded files, attachments, generated content) is versioned and separately backed up on the same schedule.
- Cadence: approximately every hour.
- Retention: snapshots are kept for 30 days, after which they are automatically deleted.
- Encryption: all backups are AES-256 encrypted at rest. Encryption keys are managed separately from the data.
- Geographic redundancy: backups are replicated across multiple regions inside the European Union, so the loss of a single region does not lose customer data.
What "30 days" means for you
Inside the retention window, we can restore the platform to any of the snapshots we hold. After 30 days, older snapshots are permanently deleted — including data from deleted accounts. This is intentional: it keeps our retention promise to customers exercising their right to erasure.
If you accidentally delete data and notice quickly, we can usually help you restore it from a recent snapshot. Contact oliver@myflow.se; large or time-sensitive recoveries should also copy oliver@myflow.se.
Restore testing
A backup you've never restored from is a hope, not a backup. We periodically restore from snapshots into an isolated environment and verify the data is intact and usable. This catches problems with the backup pipeline before we'd ever need to rely on it for real.
Recovery objectives
We design and operate myflow against the following internal targets:
- RPO (recovery point objective): ~1 hour. In the worst case, customers should not lose more than roughly an hour of work, thanks to the snapshot cadence.
- RTO (recovery time objective): a few hours. For a full-region failure, our target is to be serving traffic from a healthy region within a small number of hours.
These are internal targets, not contractual SLAs. We are transparent about them so you can see how we think; we are working towards being able to commit to formal SLAs for customers who need them.
High availability of the live service
Beyond backups, the live service is built to keep running through ordinary failures: redundant application servers behind load balancers, managed databases with automated failover, and a CDN absorbing traffic spikes and absorbing simple-edge failures. Day-to-day component failures should not be visible to you.
Business continuity
Our business continuity plan covers more than infrastructure. It includes how we communicate during an incident, who is on call, how the team operates if our office or main collaboration tools are unavailable, and how we keep payroll, payments and support running. We review the plan at least annually and after every significant incident.
What we ask of you
- If your business has stricter recovery requirements than the targets above, talk to us before signing. We will tell you honestly whether we can meet them.
- Keep your admin email addresses up to date. During an incident, that's how we reach you.
- Enable multi-factor authentication. Most "lost data" incidents are account compromises, not infrastructure failures.