ADR-0033 — Backup & disaster recovery (Velero + PITR; RTO/RPO targets)

V1 Freeze (2026-06-12): Deferred. V1 = documented pg_dump + object-store versioning. Formal backup/DR (Velero/PITR, RTO/RPO) re-opens at P4.

Context

BitVault is a data-custody product; loss of the metadata DB or KMS keys is unrecoverable, while clusters and derived stores are rebuildable. We need explicit, tested recovery objectives and a backup posture that survives ransomware and region loss.

Decision

Backup the irreplaceable, rebuild the rest, and test restores:

Consequences

Positive

Negative / costs

Alternatives considered

Scaling

Object-store “backup” is replication, not copy (infeasible to copy PB); frequent base backups bound PITR replay; restore drills run sampled regularly + full-scale periodically.