Purpose

This article explains how ARMOR backs up application configuration and customer data, how backups are protected, where they are stored, and what to expect during a restore.

Scope

• ARMOR Asset Management platform running in Azure Kubernetes Service (AKS)

• Production and staging environments

• Database backups and configuration/infrastructure backups

Summary of Controls

• Platform: AKS with Infrastructure-as-Code (Helm) for app/config backups

• Database backups: Daily + pre-maintenance snapshots

• Storage: Azure Blob Storage (RA-GRS), independent of AKS

• Security: Azure AD MFA, network segmentation, AES-256 encryption at rest

• Tamper-evidence: Per-backup hash stored separately for integrity validation

• Access: Unique write-only service credentials; limited admin delete/list access

• Testing: Formal restore tests twice per year; frequent test restores in QA/engineering

• Resilience: DB clustered across ≥2 AKS nodes; regional redundancy via RA-GRS

• RTO (catastrophic): 4 hours from start of rebuild efforts

• SLA target: 99.9% uptime

What We Back Up

1) Application, Configuration, and Infrastructure

• Deployed and versioned with Helm and Infrastructure-as-Code.

• The entire application stack can be destroyed and re-created exactly from source and release artifacts.

2) Databases (Customer Data)

• Frequency:

  • Daily automated backups

  • Automatic pre-maintenance backups prior to major changes

• Format/Content: Database payloads only (no OS images or executables).

Where Backups Are Stored

• Primary: Azure Blob Storage, isolated from the AKS cluster hosting the platform.

• Redundancy: RA-GRS (geo-redundant storage) replicates data to a secondary Azure region to protect against regional outages.

Security & Integrity

Authentication & Access

• MFA: Administrative access to Azure resources requires Azure AD MFA.

• Segmentation: Backup storage is logically separate from compute/runtime.

• Least privilege:

  • Services use unique, write-only credentials to place backups in Blob Storage.

  • Only a limited set of administrators can list/delete backup blobs.

Encryption

• Data at rest (DB disks): Azure Managed Disk Encryption (AES-256).

• Backups in Blob: Encrypted at rest by Azure Storage.

Tamper Evidence & Integrity

• Each backup also writes a separate cryptographic hash (stored in another blob).

• During restore or verification, the hash is used to validate the backup has not been altered.

Malware / Virus Scanning

• Not performed on backup images. Backups contain database data only and are read by the database engine during restore (not executed), which significantly limits malware risk.

Note on immutability: We do not currently enforce storage immutability (WORM). Deletion/retention is controlled through restricted admin access and hash-based integrity verification.

Redundancy & Recovery

High Availability (Active/Failover)

• Databases run in a cluster across ≥2 AKS nodes.

• If the primary node fails, a secondary is promoted automatically, targeting zero downtime for single-node failures and routine maintenance.

Backup & Restore (Catastrophic Scenarios)

• If an AKS cluster is lost or a database becomes corrupted:

  1. Re-deploy the platform from Helm/IaC.

  2. Restore the latest validated backup.

• Recovery Time Objective (RTO): 4 hours from the start of rebuild efforts.

• Actual downtime may vary if faster alternative recovery methods are attempted before a full rebuild.

Testing & Validation

• Formal DR/restore tests at least twice per year.

• Practical testing occurs regularly as engineering restores subsets of production data to QA/test environments.

Restore Requests (Customer-Facing)

If you require a restore or point-in-time recovery:

1. Email support@armordata.com (or your ARMOR support contact).

2. Provide: environment, dataset, desired restore point/time, and urgency.

3. ARMOR verifies backup integrity (hash) and executes the restore.

4. We will confirm completion and provide a summary of actions taken.

FAQs

Do you protect data at rest?
Yes. Database disks use AES-256 via Azure Managed Disk Encryption; backup objects are encrypted at rest in Azure Storage.

Where are backups stored?
In Microsoft Azure Blob Storage with RA-GRS replication across two regions.

Can we validate backups for malware before restore?
Backups are database-only and are non-executable. We validate integrity via a separate stored hash prior to restore.

What is your uptime target?
We target 99.9% uptime. Since launch, we have not required a production backup restore or platform rebuild.

What is your retention period?
Retention aligns with customer agreements and regulatory needs. If you require a specific retention window, contact support@armordata.com.

Contact

For backup/restore assistance or custom retention options, contact support@armordata.com or your Customer Success Manager.