Shedthemusic, LLC — Disaster Recovery Plan (DRP)

Version: 1.0 | Last updated: 2025-10-23

Owners: Bob Habersat (CTO), Kris Habersat (Member Management)

Scope: Public website, membership access, curriculum delivery, support ops. Applies globally, incl. AU/NZ (with reseller MusicEdNet).

1) Principles & Assumptions

- No student PII is collected or stored. School access uses shared, school‑scoped generic usernames and rotating access codes; no student accounts.

- Primary SaaS: Squarespace (public site, content), MemberSpace (member auth/access), Google Workspace (docs, email/support). Payments: Stripe (not used for AU/NZ schools; AU/NZ handled by MusicEdNet).

- This DRP is independent of SaaS providers’ DR/BC documents and covers Shedthemusic business disruptions (loss of access, staff unavailability, offline backups, website outage).

2) Recovery Objectives

- RTO (time to restore core services): 24 hours for web presence & member access; 4 hours for urgent communication.

- RPO (max data loss): 24 hours for member content and site changes; 7 days for offline snapshots (worst case).

- Critical services: (1) Public site/ordering/info, (2) Member access to curriculum/resources, (3) Support comms, (4) AU/NZ continuity via MusicEdNet.

3) Roles & Escalation

- Incident Commander (IC): Bob Habersat (CTO). Alternate: Kris Habersat.

- Communications Lead: Kris Habersat. Alternate: Bob Habersat.

- AU/NZ Liaison: Kris Habersat with MusicEdNet.

- Escalation triggers: site unreachable >15 min, auth failures >15 min, data integrity alerts, suspected compromise, staff unavailability >1 business day.

4) Runbooks — Common Scenarios

A. Full Website Outage (Squarespace)

- Detect: Uptime alert or status page auto-update indicates incident.

- Comms (T+0–1h): Reference status.squarespace.com, publish website banner/alt site notice, post to social, email members; notify MusicEdNet.

- Temporary Presence (T+1–3h): Deploy lightweight static “status/landing” page via alternate host (e.g., GitHub Pages/Google Sites) with links to resources & support form.

- Member Access Continuity (T+1–6h): Provide time-limited, read-only Google Drive links to curriculum. Validate school access via roster + school generic username/access code.

- Restore: On provider recovery, verify DNS, TLS, pages, forms, checkout; re-enable deep links; close incident.

B. Member Access Outage (MemberSpace)

- Detect: Login/portal errors, status.memberspace.com incident.

- Comms: Notify members & schools with ETA if provided.

- Bypass (T+1–3h): Issue time-limited access codes to read-only Google Drive mirrors by school.

- Restore: Re-enable MemberSpace; rotate temporary codes.

D. Compromise / Suspicious Activity

- Contain: Disable affected integrations, rotate API keys/passwords (Squarespace, MemberSpace, Google Workspace), revoke suspicious sessions.

- Preserve evidence: Export relevant logs (auth, changes).

- Notify partners and impacted orgs if exposure suspected.

- Recover from last known-good export/snapshot; validate integrity.

E. Payment Workflow Disruption

- US/Global: If Stripe impacted, pause new sales; switch to invoice-based orders via Google Forms + manual processing.

- AU/NZ: Route all orders/renewals via MusicEdNet until restoration.

5) Backups & Preservation

- Website: Monthly Squarespace site export (XML + assets where available). Stored in Google Drive “Backups/Website” + weekly encrypted offline snapshot on removable media.

- Member Content/Docs: Google Drive is system-of-record; weekly read-only archive export; quarterly offline encrypted snapshot (AES-256).

- Membership/Rosters: Monthly export of active schools and access codes to CSV (Drive folder). AU/NZ roster mirrored by MusicEdNet.

- Preservation: Retain DR test records, incident reports, and backups for 12 months.

6) Restoration Procedures

- Reconnect custom domain/DNS if failover host used.

- Verify TLS certs, redirects, member login, download links, and forms.

- Smoke tests on top 10 curriculum pages + 3 random downloads.

- Remove temporary bypass links; rotate temporary access codes.

7) Communications

- Stakeholders: schools, members, MusicEdNet, suppliers.

- Channels: email list, website banner/alternate site, social post.

- Cadence: T+1h initial note; milestone updates; closure within 48h.

8) Testing & Maintenance

- Tabletop DR exercise: semi‑annually (website + access outage).

9) Dependencies & Contacts

- Squarespace Status: https://status.squarespace.com

- MemberSpace Status: https://status.memberspace.com

- Google Workspace Status: https://www.google.com/appsstatus

- AU/NZ reseller (MusicEdNet): via Kris.

- Incident mailbox: support@shedthemusic.net

10) Compliance Notes

- No student PII processed; school accounts use generic usernames and rotating codes.

- MFA on admin/provider accounts; least‑privilege applied.

- Backups encrypted at rest; offline copies stored separately.

Approval

- Approved by: Bob Habersat (CTO) and Kris Habersat (Member Management)

- Next review: 12 months from last update