WiBiz Business Continuity Plan
Document: WiBiz_Business_Continuity_Plan_v1.0
Owner: Digital Benefits Pte Ltd
Classification: Internal -- Confidential
Version: v1.0
Effective Date: 15 April 2026
Review Cycle: Annual (next review: April 2027)
1. Business Impact Analysis
| System | Criticality | Impact If Unavailable | Dependent Clients |
|---|---|---|---|
| CRM Platform (core automation engine) | Critical | All client AI automations stop. No inbound message handling. Bookings, lead capture, and follow-ups halt. | All clients |
| AI Conversation Engine (Anthropic Claude API) | Critical | AI responses stop across all channels. Clients receive no automated replies. | All clients |
| Payment Processing (Stripe / Razorpay) | Critical | Clients cannot collect payments via automated links. Revenue collection halts for affected clients. | Clients with payment automation |
| Client Communication Channels (WhatsApp, Instagram, Facebook, web chat) | Critical | Inbound customer messages are not captured or responded to. | All clients on affected channel |
| Frontend Applications (Vercel / Next.js) | Important | Client-facing portals, onboarding forms, and dashboards unavailable. Core AI automation unaffected. | Prospects, portal users |
| Voice Engine (ElevenLabs) | Important | Voice automation stops. Chat channels unaffected. | Clients with voice automation |
| Internal Tools (Airtable, Google Workspace, Discord) | Normal | Team coordination disrupted. No direct client service impact. | Internal only |
| Documentation and File Storage (Dropbox) | Normal | Internal files inaccessible. No direct client service impact. | Internal only |
2. Recovery Objectives
| Category | RTO (Recovery Time Objective) | RPO (Recovery Point Objective) |
|---|---|---|
| Critical systems | 4 hours | 1 hour (databases and CRM data) |
| Important systems | 24 hours | 24 hours |
| Normal systems | 72 hours | 48 hours |
RTO = maximum acceptable time to restore service after disruption.
RPO = maximum acceptable data loss measured in time (how far back is the last usable backup).
3. Backup Strategy
| What | Frequency | Method | Retention | Responsibility |
|---|---|---|---|---|
| CRM platform data (contacts, pipelines, conversations) | Daily automated | Platform-native export + API backup to secure cloud storage | 90 days rolling | Security Lead / Tech Lead |
| Client sub-account configurations | Weekly full backup | Platform snapshot or configuration export | 6 months | Tech Lead |
| Vercel/Next.js application code | Continuous | Git (GitHub). Every deploy is a versioned commit. | Indefinite (Git history) | Development team |
| Database (Neon Postgres for quote engine) | Daily automated | Neon's point-in-time recovery (built-in) | 7 days PITR, weekly manual snapshot retained 90 days | Tech Lead |
| Internal documents (Dropbox / WiBiz OS) | Continuous sync | Dropbox versioning + local copies on two machines | 180 days (Dropbox version history) | Automatic |
| API keys and credentials | On change | Vercel environment variables (encrypted at rest). Manual backup of credential inventory to encrypted storage. | Current + previous version | CEO / Security Lead |
Monthly backup restoration test: On the first Monday of each month, restore one critical backup to a test environment and verify data integrity. Log the result in WiBiz OS/05 Operations/BCP Test Log/.
4. Disaster Recovery Scenarios
Scenario A: Cloud Provider Outage (Vercel, CRM Platform)
- Detection: Automated uptime monitoring alerts (set up via UptimeRobot or equivalent).
- Response: Check provider status page. Notify affected clients within 2 hours that the outage is upstream. No WiBiz action can restore service -- provider must resolve.
- Mitigation: Vercel deployments can be redeployed to alternative regions. CRM platform has no self-hosted fallback -- document provider SLA and escalation contacts.
- Communication: Post status update to clients via WhatsApp broadcast and email.
Scenario B: Data Corruption
- Detection: Anomalous data in CRM, client reports of incorrect information, failed integrity checks.
- Response: Immediately stop automated workflows on affected accounts. Identify corruption scope. Restore from most recent clean backup within RPO.
- Recovery target: 4 hours for critical client data.
Scenario C: Ransomware / Malware
- Detection: Encrypted files, ransom notes, unusual system behavior.
- Response: Isolate affected systems immediately. Do not pay ransom. Engage Incident Response Plan (P1). Restore from clean backups after confirming the attack vector is closed.
- Prevention: MFA on all accounts, no local admin credentials stored in plaintext, regular credential rotation.
Scenario D: Key Person Unavailability
- Response: See Section 6 (Succession Planning). Ensure at least two people can perform every critical function.
5. Communication Plan During Outage
| Audience | Channel | Timeline | Message Owner |
|---|---|---|---|
| Internal team | WhatsApp internal group + Discord | Immediately on detection | Incident Commander |
| Affected clients | WhatsApp direct message + email | Within 2 hours for Critical system outages | Communications Lead (Chielo) |
| All clients (major outage) | Email broadcast + WhatsApp broadcast | Within 4 hours | CEO approval required |
| Channel partners (BC360, Anil) | Email to partner contact | Within 4 hours for outages affecting their clients | CEO |
Status update cadence during active outage:
- P1: Every 2 hours until resolved.
- P2: Every 4 hours until resolved.
Template status message:
WiBiz is currently experiencing [brief description of issue]. Our team is actively working on resolution. [Estimated restoration time if known, or "We will update you within X hours."] Your data remains secure. For urgent matters, contact [escalation contact].
6. Remote Work Continuity
WiBiz already operates as a distributed team (Singapore + Philippines remote). Existing capabilities:
- All team members work from personal devices with internet access.
- All critical tools are cloud-based: CRM platform, Vercel, GitHub, Google Workspace, Airtable, Discord.
- No on-premise servers required for client operations (Mac Mini handles internal automation only and is not client-facing).
- Communication channels: WhatsApp, Discord, Google Meet -- all accessible from any location.
Gaps to address:
- Ensure all team members have MFA enabled on all work accounts (deadline: May 2026).
- Document each team member's backup internet access method (mobile hotspot at minimum).
- Confirm all team members can access critical systems from a secondary device if primary fails.
7. Succession Planning (Key Person Risk)
| Key Person | Critical Functions | Backup / Successor | Gap to Close |
|---|---|---|---|
| CEO (Nick) | Final approval authority, regulatory contact, client relationship owner, platform admin access | Chielo (operational decisions), Legal counsel (regulatory) | Document all platform admin credentials in encrypted vault accessible to Chielo. Establish limited power of attorney for BCP scenarios. Deadline: Q3 2026. |
| Tech Lead (TBA after AJ departs April 2026) | Vercel deployments, frontend code, API integrations | Must be hired or assigned by May 2026 | Critical gap. No current backup for frontend/Vercel capability. Prioritize hiring. |
| Chielo (Governance / QA) | Client relationships, team coordination, QA sign-off | Aileen (partial -- Universe build lead) | Cross-train Aileen on client communication protocols. Deadline: Q3 2026. |
| Nan Fritzie (Chatbot / Automation) | Bot configuration, automation workflows, knowledge base management | Blessie (partial) | Document all standard bot configuration procedures as SOPs. Deadline: Q3 2026. |
Rule: No critical system should have only one person with access. Audit access distribution quarterly.
8. Annual BCP Test
- Conduct one BCP test per calendar year simulating a critical system outage.
- Test must include: backup restoration, communication plan execution, and succession activation.
- Rotate scenarios annually: cloud provider outage, ransomware recovery, key person unavailability.
- Document results and plan updates in
WiBiz OS/05 Operations/BCP Test Log/. - First test deadline: Q4 2026.
9. Plan Maintenance
- This plan is reviewed and updated annually or after any significant incident.
- Any change to critical systems, team structure, or hosting providers triggers an out-of-cycle review.
- The CEO is responsible for ensuring this plan remains current.
- All team members must know where this document is stored and how to access it during an emergency.
End of document. Next review: April 2027.