Business Continuity Policy (BCP)

Preamble

This Business Continuity Policy ("BCP") describes the organisational, technical and legal measures implemented by Axel REGNOULT, operating under the trade name Axelo (SIRET 895 214 989 00017 — 128 rue de la Boétie, 75008 Paris, France), to ensure the continuity of the Services offered on the website https://www.web-agency.app, including in the event of a major incident or provider failure.

This BCP constitutes a document of trust, in particular for professional Customers (B2B), and supplements the GTCS, the SaaS GST and the DPA.

Article 1 — Nature of the undertaking (best effort, not result)

The undertakings given by Axelo under this BCP constitute a best-effort undertaking and not an obligation of result. Axelo deploys reasonable means, proportionate to the nature and size of an individual micro-enterprise, to ensure the availability, integrity and resilience of the Services.

No contractual uptime guarantee (uptime SLA) is undertaken, unless a separate written agreement is signed.

Article 2 — Infrastructure and data residency

Axelo's infrastructure is based on Google Cloud Platform via Firebase (Firebase Hosting, Firebase App Hosting, Firestore, Cloud Storage, Cloud Functions), in the europe-west4 region (Eemshaven, Netherlands — European Union).

This region has native multi-zone redundancy: data and compute are replicated in real time across at least two physically separated availability zones within the same regional data centre, providing automatic resilience against localised hardware or network failures.

One exception remains for the Stripe extension firestore-stripe-payments, hosted in europe-west1 (Saint-Ghislain, Belgium), due to the lack of europe-west4 support by Google's validation of this extension. The details of the regional strategy are set out in the Privacy Policy.

Article 3 — Backups and retention

Axelo implements a backup policy ensuring the integrity and restorability of Customer data:

• Daily automatic backups of all databases and user files, encrypted at rest (AES-256 on the Google Cloud side);
• Retention: thirty (30) days rolling, with automatic rotation. Backups older than thirty days are irreversibly overwritten;
• Isolation: backups are stored in a Google Cloud project separate from the production project, with dedicated IAM permissions;
• Restoration tests: a partial restoration test is carried out at least once per quarter.

Article 4 — RPO and RTO

Axelo undertakes to deploy reasonable means to comply with the following indicative targets in the event of an incident:

• RPO (Recovery Point Objective) — twenty-four (24) hours — maximum amount of data potentially lost between the last exploitable backup and the time of the incident;
• RTO (Recovery Time Objective) — forty-eight (48) hours — maximum target duration between detection of a major incident and resumption of service under nominal conditions.

These targets are internal best-effort objectives, not contractual obligations of result (see article 1).

Article 5 — Failover procedure in the event of a major incident

In the event of a major incident affecting the availability or integrity of the Services, the following procedure applies:

• Detection: automated alerts (Google Cloud monitoring, Sentry) + human supervision during working hours;
• Qualification: assessment of the severity, scope and likely duration of the incident;
• Communication: notification to affected Customers by email and/or banner on the website, within a reasonable time and at least every twenty-four (24) hours during the incident;
• Technical failover: automatic multi-zone redeployment by Google Cloud; in the event of prolonged regional unavailability, triggering of the backup restoration procedure in an alternative EU region (europe-west1 as primary fallback);
• GDPR notification in the event of a personal data breach: following the procedure defined in article 9 of the DPA (72 hours);
• Lessons learned: an incident report is sent to the affected professional Customers within fifteen (15) days following return to normal.

Article 6 — Recovery plan in the event of provider disappearance

Since Axelo is operated by a sole trader, a specific arrangement is in place to ensure continuity of the Services in the event of disappearance, lasting incapacity or cessation of activity of the operator.

A sealed document is deposited with a trusted notary or lawyer, formally designated, containing the following:

• the Firebase / Google Cloud administrator credentials enabling resumption of the infrastructure;
• the domain name transfer procedures (web-agency.app and associated), including the list of registrars and contacts;
• the contact details of the designated successor (trusted third-party natural or legal person), responsible, in the first instance, for ensuring minimum operational continuity of the service (maintaining the Services as is, handling of GDPR requests, return of data);
• the notification instructions to be sent to active Customers within a maximum of thirty (30) days after the triggering event.

This document is updated at least once a year, and after any substantial change to the infrastructure or providers.

Article 7 — Annual audit and continuity tests

Axelo carries out, at least once a year, an internal continuity audit including:

• verification of backup integrity and a restoration test on a representative sample;
• review of BCP documentation and of the sealed document (see article 6);
• updating of emergency contacts (notary / lawyer, successor, key providers);
• review of any incidents during the year and of the corrective actions implemented.

A summary audit report may be provided, on written request, to professional Customers party to the DPA, while respecting the confidentiality obligations towards other Customers (see DPA art. 10).

Article 8 — Exclusions and force majeure

The following are expressly excluded from the scope of this BCP and may not engage Axelo's liability:

• cases of force majeure within the meaning of article 1218 of the French Civil Code: an event beyond Axelo's control, which could not reasonably be foreseen when the contract was concluded and the effects of which cannot be avoided by appropriate measures (natural disaster, war, terrorist attack, epidemic, general strike, decision of a public authority, etc.);
• third-party acts, in particular cyber-attacks of a level of sophistication such that they could not have been prevented despite the technical and organisational measures in place (see DPA art. 6);
• prolonged failures of Google Cloud Platform, in particular any regional unavailability of europe-west4 and/or europe-west1 lasting more than five (5) consecutive days;
• acts of the Customer or its authorised users (misuse, accidental deletion not recoverable beyond the 30-day window, breach of the ToU / SaaS GST);
• scheduled maintenance operations notified in advance.