Appearance
Backups & data
Hosted backups are managed for you. We run them, store them, and monitor them.
What's backed up
For every tenant (hub and each spoke):
- Database — Postgres logical backup, taken daily.
- moodledata PVC — Kubernetes
VolumeSnapshot, taken daily.
The two are taken close in time (within ~5 minutes) so they restore as a coherent pair.
Retention
| Tier | Retention |
|---|---|
| Standard | 30 days |
| Dedicated | 90 days |
Anything older than the retention window is pruned automatically.
Cross-region copies (Dedicated only)
On Dedicated, backups are also copied to a second region within 24 hours. This protects against a region-wide outage at our primary cloud provider.
Standard tenants don't get cross-region. The single in-region copy is durable to disk failure (replicated underneath) but not to a region-wide event.
RPO and RTO
| Tier | RPO (data loss tolerance) | RTO (time to restore) |
|---|---|---|
| Standard | 24 hours | Best effort, typically <8 business hours |
| Dedicated | 1 hour | <4 hours, 24/7 |
RPO is the worst case if we have to restore from yesterday's snapshot. RTO is how long you wait once you've requested a restore.
How to request a restore
Self-serve restore is on the roadmap; for now it's a support ticket:
- Open
/support→ Request restore. - Specify which spoke, and which point in time (or "the most recent backup").
- We'll confirm receipt within 1 business hour and start the restore.
The original spoke is not overwritten by default. We provision a new spoke at <original-slug>-restore-<date> and let you point users at it once you've verified the data is what you wanted. You can rename or swap DNS once verified.
If you'd rather we overwrite (it's faster), say so in the ticket.
What's visible to you
/spokes/<id> shows a Backups card with:
- Last successful snapshot timestamp
- Next scheduled snapshot
- Retention window for this tier
- An amber callout if the most recent snapshot failed (rare; we monitor)
This is informational only — there's no "restore" button in the portal yet.
What's not backed up
A few things are explicitly out of scope:
- Email logs / outbound emails — Postmark / SES handles its own retention.
- Audit events — kept indefinitely in the control-plane database; not part of the per-tenant backup.
- Stripe data — owned by Stripe; we keep references but not duplicates.
- Self-host customers' data — we don't have it; see Self-Host → Backups.
Self-host comparison
On the hosted plan we own the backup story end-to-end. Self-host customers operate their own — the chart includes a CronJob that does VolumeSnapshots, but the customer manages the schedule, retention, and restore process themselves. See Self-Host → Backups for the full breakdown.