Aspose Business Continuity Policy

Last updated: 1 November 2024

1. Introduction 

Aspose Pty Ltd (Aspose) is a market-leading software development company that offers award-winning APIs for creating, editing, converting, and rendering various file formats such as Office, OpenOffice, PDF, Images, ZIP, CAD, XPS, EPS, and PSD. Our APIs support multiple platforms, including .NET, Java, C++, Python, PHP, Xamarin, and Android, along with reporting solutions for Microsoft SharePoint and rendering extensions for SQL Server Reporting Services and JasperReports.

Aspose is trusted by thousands of companies for our products’ performance, stability, and adaptability. We are committed to conducting business with integrity and in compliance with all applicable Australian laws and regulations.

This Business Continuity Policy outlines our commitment to maintaining uninterrupted operations of our downloadable, self-hosted products by safeguarding critical business functions identified in our Business Impact Analysis (BIA). The policy ensures that we minimize downtime, protect customer data, and maintain operational resilience to continue providing consistent, reliable services to our clients.

2. Purpose 

The purpose of this policy is to establish a comprehensive framework that ensures the continued availability and reliable operation of Aspose’s self-hosted API solutions during any disruptions. By aligning with the findings of our BIA, this policy sets out strategies to:

  • Minimize Service Downtime: Meet the Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs) established in the BIA for each critical function.
  • Protect Data Integrity and Security: Implement robust measures for data protection and cybersecurity.
  • Ensure Operational Resilience: Develop detailed recovery strategies for each critical function.
  • Mitigate Identified Risks: Proactively address risks highlighted in the BIA through targeted strategies.
  • Maintain Regulatory Compliance: Adhere to all relevant legal and contractual obligations.
  • Foster Trust and Transparency: Communicate effectively with stakeholders during disruptions.

3. Scope 

This policy applies to all Aspose operations related to our downloadable, self-hosted products, including employees, contractors, infrastructure, and partnerships with external service providers. Specifically, it encompasses:

  • On-Premise API Solutions: All Aspose APIs deployed on customer environments for local file format manipulation.
  • Core IT Infrastructure: Hardware, software, networks, and systems supporting our self-hosted products.
  • Data Protection and Security: Measures to safeguard our codebase, customer data, and sensitive information.
  • Personnel and Key Business Functions: Roles involved in maintaining business continuity, including development, support, sales, and IT teams.
  • Vendor and Partner Dependencies: Third-party services essential to our operations.
  • Regulatory and Legal Compliance: Adherence to applicable laws and standards.

4. Business Continuity Objectives 

Our primary objectives are to ensure the uninterrupted availability and reliability of Aspose’s self-hosted API services during disruptions. This includes:

  • Minimizing Operational Downtime: Restore critical functions within defined RTOs and RPOs.
  • Protecting Critical Assets: Safeguard our intellectual property, customer data, and infrastructure.
  • Maintaining Customer Trust: Deliver consistent, reliable services and transparent communication.
  • Ensuring Regulatory Compliance: Meet all legal, regulatory, and contractual obligations.
  • Continuous Improvement: Regularly update our business continuity strategies based on lessons learned.

5. Risk Assessment and Business Impact Analysis (BIA) 

Aspose regularly conducts Risk Assessments and Business Impact Analysis (BIA) to identify potential threats and ensure business continuity.

5.1 Risk Assessment

This involves identifying and evaluating threats to Aspose’s services, infrastructure, and data. Key risks include:

  • Cybersecurity Threats: High likelihood and impact (e.g., malware, ransomware).
  • Software Failures: Moderate likelihood; high impact on product delivery.
  • Natural Disasters: Low likelihood; moderate impact on infrastructure.
  • Remote Workforce Risks: Moderate likelihood; moderate impact due to connectivity issues.
  • Third-Party Dependencies: Low likelihood; moderate impact if vendors fail.
  • Regulatory Compliance Risks: Low to moderate likelihood; moderate impact.
  • DevOps Challenges: Moderate likelihood; high impact on deployment efficiency.

5.2 Business Impact Analysis (BIA)

The BIA evaluates the effects of risks on critical business functions to prioritize recovery efforts:

  • Product Development and Engineering: High operational impact; delays affect customer satisfaction.
  • Customer Support and Technical Assistance: High reputational impact; downtime affects trust.
  • Sales and Marketing: Moderate financial impact; affects revenue growth.
  • IT Infrastructure and Security: High operational and reputational impact; essential for all functions.
  • Human Resources: Moderate operational impact; affects employee productivity.

RTOs and RPOs are established for each function based on impact levels.

5.3 Risk Mitigation

Aspose implements strategies to reduce risks:

  • Redundancy and Backups: Ensuring infrastructure and data storage backups.
  • Security Audits: Regular security checks to prevent vulnerabilities.
  • Third-Party Risk Management: Assessing vendors for continuity standards.
  • Employee Training: Training staff to prevent human error and handle incidents.

5.4 Ongoing Monitoring

Aspose monitors risks continuously and reviews its BIA annually or as needed, ensuring the business continuity plan remains effective and up-to-date.

6. Business Continuity Planning (BCP) and Recovery Strategies 

Aspose has developed strategies to protect infrastructure, maintain services, and minimize disruptions.

6.1 Business Continuity Framework

The framework includes:

  • Risk Identification: Regular assessments to identify risks like hardware failures, cyber threats, and natural disasters, alongside BIA to assess their impact.
  • Governance: A Business Continuity Management (BCM) team oversees all continuity efforts.
  • Plan Development: Business Continuity Plans (BCPs) for APIs, IT infrastructure, and customer support are reviewed annually or after major changes.

6.2 Continuity Strategies

Aspose ensures operational continuity through:

6.2 Continuity Strategies

  • Redundancy and Backups: Regular backups of code repositories and data, stored securely off-site.
  • Advanced Cybersecurity Measures: Firewalls, encryption, multi-factor authentication, and regular security audits.
  • Remote Collaboration Tools: Secure VPNs and collaboration platforms to support the remote workforce.
  • Vendor Management: Assessing and monitoring third-party providers for continuity capabilities.
  • DevOps Implementation: Adopting CI/CD pipelines to improve deployment efficiency and resilience.

6.2 Recovery Procedures

  • Product Development and Engineering: Restore development environments and code access within 24 hours (RTO); recover codebase to within 4 hours of the last update (RPO).
  • Customer Support: Resume support operations within 4 hours (RTO); access to customer data within 8 hours (RPO).
  • Sales and Marketing: Re-establish systems within 24 hours (RTO); recover customer data within 12 hours (RPO).
  • IT Infrastructure and Security: Address incidents within 1 hour (RTO); maintain near real-time data recovery (RPO).
  • Human Resources: Restore HR systems within 48 hours (RTO); recover employee data within 24 hours (RPO).

7. Incident Response and Crisis Management

Aspose’s emergency response plan ensures quick, efficient recovery from crises, maintaining customer trust and the company’s reputation.

7.1 Incident Response Framework

  • Identification and Classification: Early detection and categorization of incidents.
  • Escalation Procedures: Clear protocols for escalating incidents based on severity.
  • Response Actions: Steps to contain and resolve the incident promptly.

7.2 Crisis Management

  • Crisis Management Team (CMT): Activated for severe incidents impacting multiple functions.
  • Communication: Regular updates to stakeholders.
  • Post-Incident Review: Analyze response effectiveness and update plans.

8. Communication Plan 

Aspose’s communication plan ensures timely, clear updates to stakeholders during incidents, helping restore normal operations and maintain trust. As Aspose’s self-hosted products don’t depend on Aspose’s infrastructure, we will make best endeavors to keep customers aware of any issues we may be experiencing, but these will mainly be for informational purposes.

8.1 Purpose

The plan aims to:

  • Reduce confusion during incidents.
  • Maintain customer and partner trust.
  • Support fast recovery.

8.1 Key Stakeholders

  • Internal: Employees, management, incident response teams.
  • External: Customers, partners, vendors, regulators.

8.2 Communication Channels

  • Internal: Email, messaging platforms, internal blog posts. virtual meetings.
  • External: Email alerts (where appropriate), company website, company blog, social media.

8.3 Communication Protocols

  • Initial Notification: Within 30 minutes internally; customers informed within 4 hours if affected.
  • Ongoing Updates: Regular intervals based on incident severity.
  • Resolution Notification: Final update upon issue resolution.

8.3 Review and Improvements

After incidents, Aspose reviews communication efforts, gathers feedback, and updates the plan to improve future responses.

9. Roles and Responsibilities 

9.1 Executive Management

  • Provides leadership and resources for business continuity.
  • Approves and reviews the Business Continuity Policy, ensuring it aligns with company goals.

9.2 Business Continuity Manager

  • Oversees the Business Continuity Plan (BCP) and Business Impact Assessment (BIA).
  • Conducts risk assessments, coordinates training, and ensures BCP compliance.
  • Leads post-incident reviews.

9.3 Incident Response Team (IRT)

  • Activates the BCP during disruptions.
  • Assesses incidents, coordinates response, and communicates status.
  • Documents outcomes for future analysis.

9.4 Crisis Management Team (CMT)

  • Manages severe incidents, ensuring strategic alignment.
  • Oversees external communications and post-crisis evaluations.

9.5 IT Disaster Recovery Team

  • Maintains IT recovery plans and tests disaster recovery processes.
  • Protects critical assets and supports recovery within RTO and RPO targets.

9.6 Customer Support Team

  • Updates customers on service disruptions and resolutions.
  • Manages inquiries and aligns communication with internal updates.

9.7 All Employees

  • Understand and follow the Business Continuity Policy.
  • Participate in training and report incidents.
  • Report incidents promptly.

9.8 Training and Awareness

  • Regular training and drills for all employees, at induction and check-in on regular employee reviews.
  • Role-specific training for key teams, with updates based on feedback.

10. Testing and Maintenance 

Regular testing and maintenance ensure Aspose is prepared for emergencies, keeping personnel familiar with their crisis roles and the Business Continuity Plan (BCP) effective and relevant.

10.1 Purpose of Testing

  • Validate the BCP’s effectiveness.
  • Identify areas for improvement.
  • Enhance employee preparedness through practical exercises.

10.2 Testing Procedures

  • Tabletop Exercises: Discuss response scenarios to identify gaps (Twice yearly)
  • Simulation Exercises: Test team responses in realistic scenarios (Annually)
  • Full-Scale Drills: Deploy resources in real-time conditions (Every two years)
  • Technology Tests: Regularly test IT disaster recovery processes. (Quarterly)

10.3 Evaluation and Feedback

  • Debrief after each test to assess responses.
  • Gather feedback from participants.
  • Document findings for review and improvements.

10.4 Plan Maintenance

  • Review and update the BCP annually or after major changes.
  • The Business Continuity Manager ensures updates are communicated.
  • Maintain a version-controlled BCP for easy access.

10.5 Training and Awareness

  • Integrate BCP training into onboarding.
  • Continuously educate staff on their roles and any plan updates.

11. Compliance and Continuous Improvement 

Aspose is committed to following relevant laws, regulations, and industry standards while continuously improving the Business Continuity Plan (BCP) to meet organizational goals.

11.1 Compliance Commitment

  • Regulatory Adherence: Comply with business continuity laws, data protection, privacy regulations, and standards like ISO 22301.
  • Internal Policies: Align the BCP with Aspose’s policies on risk management, IT security, and incident response.

11.2 Monitoring Compliance

  • Audits: Conduct regular audits to ensure adherence to schedules, documentation accuracy, and role fulfillment during incidents.
  • Documentation: Maintain records of all continuity activities, including training, testing, and audits.

11.3 Continuous Improvement

  • Feedback: Collect feedback via post-incident reviews and surveys to identify improvement areas.
  • Plan Updates: Revise the BCP based on audit findings, emerging threats, or operational changes.
  • Best Practices: Incorporate industry trends and strategies to enhance BCP resilience.

11.4 Training and Awareness

  • Ongoing Education: Provide regular training to ensure employees understand their roles and compliance requirements.
  • Communication: Update staff promptly on BCP changes through workshops or materials.

11.5 Leadership Engagement

  • Executive Oversight: Management reviews compliance reports and promotes resilience.
  • Resource Allocation: Ensure sufficient resources for compliance, improvement, and training.

12. Policy Review 

This Business Continuity Policy will be reviewed annually by the executive team or after significant changes in the business environment, technology stack, or operational footprint.