Evidence-grade data protection.
Tamper-evident snapshots with Merkle-linked evidence chain. Recovery SLOs continuously verified by synthetic restore drills — not at audit time. Restore is a ChangeSet: simulation, blast-radius assessment, tested rollback, executed under policy.
/ 01 — the chain
Snapshots hash upward.
Every snapshot is a leaf. Pairs hash together into internal nodes. The root is signed with the tenant's Ed25519 key (KMS-wrapped). Tampering anywhere is detectable from any cut point.
SHA-256
snapshot hash
Ed25519
signing key
KMS
envelope wrap
Merkle
cross-link
daily
restore drill
15min
default RTO
<1s
hot-standby RPO
∞
audit retention
/ 02 — the drill
Restore confidence measured continuously.
Every 24 hours, a synthetic restore drill picks a random snapshot from the last 30 days. The full path runs: integrity check → policy gate → restore → boot the workload → verify. Drift surfaces in /status before customers notice.
Restore isn't an emergency procedure. It's a planned operation under the same ChangeSet engine as every other platform mutation.
/ daily synthetic restore drill
last run · 18.9s · ✓ verified- 010.2s
Snapshot select
Daily synthetic restore drill picks a random snapshot from the last 30d.
- 021.4s
Integrity check
Merkle path verified leaf → root. Ed25519 signature checked against KMS public key.
- 030.3s
Policy gate
OPA evaluates: restore allowed in this tenant, this region, this hour?
- 0412.8s
Restore execute
Blocks restored to a fresh tenant volume. Real-time progress logged.
- 054.2s
Verify
Workload boots. Health check passes. Compare hash of restored blocks to source.
/ 03 — SLO + diff
Live SLO posture + per-snapshot diff.
90-day compliance band shows when SLO is met, drifting, or breached. The snapshot diff makes tampering visible at the file level — added, changed, removed, unchanged with hash comparisons.
/ RTO / RPO compliance · last 90 days
/ snapshot diff · tnt-a · 24h window
/ 04 — cross-product
The chain spans product boundaries.
When MSP detects an incident, the response can invoke a Backup restore. Both events chain into the unified tenant audit log. One root hash spans the whole response — not three separate vendor logs.
/ 01 · MSP
Incident detected
IdentityExposure agent flags credential breach on endpoint e_8a4f.
ts: 14:23:41.082 evd: msp:evd:a83f9b… cs: ISOLATE_ENDPOINT
/ 02 · Backup
Restore triggered
CONTAIN_LATERAL ChangeSet invokes restore of clean snapshot for the isolated endpoint.
ts: 14:23:44.512 evd: bk:evd:c419fa… cs: RESTORE_SNAPSHOT
/ 03 · Audit
Chain merged
Cross-product evidence chain: MSP root → Backup root → unified tenant audit log.
ts: 14:23:44.601 evd: audit:root:8f24c1… cs: —
/ 05 — the spectrum
Per-workload, per-recovery-mode.
Choose cold archive, warm replica, or hot standby per workload. Operating mode is a tenant setting; switches between modes are evidence-chained ChangeSets. No vendor lock-in to one recovery posture.
/ mode 01
Cold archive
Lowest cost, hours RTO.
- RTO
- hours
- RPO
- 24h
- Cost
- $
// Whole tenant lost ≤ 24h prior
Suited for
- ·Compliance retention
- ·Long-tail audit storage
- ·Rarely-restored workloads
/ mode 02
Warm replica
Balanced cost, minutes RTO.
- RTO
- minutes
- RPO
- 15min
- Cost
- $$
// Per-workload lost ≤ 15min prior
Suited for
- ·Default for most workloads
- ·Production app data
- ·Multi-tenant SaaS substrate
/ mode 03
Hot standby
Highest cost, seconds RTO.
- RTO
- seconds
- RPO
- <1s
- Cost
- $$$
// Near-zero data loss; auto-failover
Suited for
- ·Critical-path infra (auth, identity)
- ·Billing surfaces
- ·Cross-region active-active
/ 06 — vs traditional backup
Different data structure. Not different storage.
Snapshot integrity
Traditional backup
Take snapshot. Trust the vendor.
Brainstorm Backup
SHA-256 hash + Ed25519 signature at capture time. Merkle link from leaf to root. Verifiable end-to-end.
Restore confidence
Traditional backup
Test restore "occasionally" — usually after an incident exposes a stale backup.
Brainstorm Backup
Synthetic restore drill runs every 24h on a random snapshot. RTO/RPO compliance graphed across 90 days.
Restore operation
Traditional backup
Operator invokes restore tool, hopes it works, watches a progress bar.
Brainstorm Backup
Restore is a ChangeSet — Intent → Simulation → Policy gate → Execute → Verify. Same engine as every other platform mutation.
Audit trail
Traditional backup
Backup tool log. Vendor-specific format. Best-effort retention.
Brainstorm Backup
Evidence chain spans products — MSP incident → Backup restore → audit log root, all signed and linked.
Operate the chain.
Open the operator console to inspect snapshots, replay the chain, run restore drills.