Schedule B - DPA Appendix

Business Continuity &
Incident Response Statement

PAXP disaster recovery and incident management procedures

Document Version: 1.0 | Effective Date: November 7, 2025

PURPOSE: This statement forms Schedule B of the PAXP Data Processing Agreement and outlines business continuity, disaster recovery, and incident response procedures.

1. Business Continuity Overview

1.1 Recovery Objectives

Service Level Commitments:
RTO: 4 hours | RPO: 1 hour | Uptime Target: 99.9%

Metric	Target	Definition
RTO	4 hours	Maximum time to restore service
RPO	1 hour	Maximum acceptable data loss
Uptime	99.9%	Annual availability target

2. Disaster Recovery Procedures

2.1 Backup Strategy

Database Backups

Frequency: Automated daily
Retention: 30 days
Encryption: AES-256
Testing: Quarterly

Application Backups

Method: Git version control
Provider: GitHub
Redundancy: Multi-region
Rollback: Instant

2.2 Recovery Scenarios

Database Failure

Detection

Under 5 minutes

Recovery

Point-in-time restore

Timeline

1-2 hours

Application Failure

Detection

Under 2 minutes

Recovery

Auto-failover

Timeline

Under 30 min

Catastrophic Failure

Detection

Immediate

Recovery

Full DR activation

Timeline

4 hours (RTO)

3. Security Incident Response

3.1 Incident Classification

Critical

Personal data breach, complete service outage. Response: Immediate.

High

Service degradation, security vulnerability. Response: Under 4 hours.

Medium

Performance issues, minor events. Response: Under 24 hours.

3.2 Response Timeline

0-4 hours:

Detection, assessment, containment begun

4-24 hours:

Operators notified, incident contained

24-72 hours:

Detailed report, regulatory support

3.3 Operator Notification

Commitment: PAXP will notify affected operators within 24 hours of any security incident, as required by GDPR Article 28(3)(f).

4. Communication During Incidents

Emergency (24/7)

Email: security@zeaai.co

Response: Within 4 hours

Non-Emergency

Email: support@zeaai.co

Response: Within 24 hours

Acknowledgment

This Business Continuity & Incident Response Statement forms Schedule B of the PAXP Data Processing Agreement.
By accepting the DPA, Operator acknowledges these procedures.

Document Control: Version 1.0 | November 7, 2025

Contact: security@zeaai.co | support@zeaai.co

Business Continuity &Incident Response Statement

1.1 Recovery Objectives

2.1 Backup Strategy

Database Backups

Application Backups

2.2 Recovery Scenarios

Database Failure

Application Failure

Catastrophic Failure

3.1 Incident Classification

3.2 Response Timeline

3.3 Operator Notification

Emergency (24/7)

Non-Emergency

Business Continuity &
Incident Response Statement