Business Continuity & Disaster Recovery
Medallia has established a Business Continuity Plan to support continued delivery of its products and services after a disaster event that impacts the resources required (i.e., people, technology, physical assets and/or relationships) to support the performance of its critical business processes. The scope of the Business Continuity Plan includes business continuity procedures for Medallia’s global teams that support delivery of Medallia’s products and services. In the event that a situation evolves into a crisis beyond the scope of the Business Continuity Plan, Medallia’s Crisis Management Plan will be implemented.
The Medallia platform was built with a fully redundant network and communication infrastructure. Our infrastructure and client data is stored in a Tier III, SOC 2 Type II certified data center. The data center offers a complete range of redundant power and communications, including multiple communications, backup diesel generators, raised floors, and 24/7 physical security. Our architecture ensures that client data remains available during natural disasters like earthquakes, floods, and power outages, as well as during man-made disasters like fires, DDoS attacks, and environmental events.
Medallia’s highly available, scalable architecture ensures that our clients always have access to their customer feedback data. As such, it is capable of delivering a responsive user experience (95th percentile of <= 5s) and of scaling horizontally to support a large number of users (10,000s of concurrent modifications). Our patented technology leverages in-memory analytics which speeds reporting time. This technology is 100% owned and engineered by Medallia. We use Docker Containers, which allow instant relocatability. We are rack-fault tolerant and run our services in High Availability mode across multiple racks. Container services are both horizontally and vertically scalable. All next-gen services are microservices allowing greater flexibility and deployment scale. All services are containerized.
Medallia’s high availability features include a primary/secondary architecture for redundancy, as well as an active/active and active/passive server infrastructure within the primary datacenter to ensure high availability. Data on the secondary server is more likely to be up to date than it would be on servers updated by periodic backups. In the event of a complete primary server failure, the secondary server is available to take over its functionality or restore customer data with minimal loss.
We follow industry best practices to prevent or mitigate possible disasters. The physical, network and data security controls described in previous sections will prevent or mitigate most issues. In the event of a catastrophic event at one of our data centers or offices, we have plans to continue providing service through other locations.
Data Backups & Recovery
Medallia’s production data backup schedule runs incremental backups daily and full backups weekly. The backup script runs hourly, checking the timestamp of the last successful base backup. If the timestamp of a database is over a week old, it will run the base backup for the particular database.
Customer data is backed up to disk — never to tape. Customer data is stored in databases using write-ahead logging (WAL) to minimize data loss in the event of an outage. WAL ensures that all database modifications are recorded in a log before they are applied. The log also stores redo and undo information. In the event of an outage, the database will check the log to determine whether to undo, continue, or complete the operation. Our backend database servers use Point-in-Time Recovery (PITR) to record data modification transactions, such as insertions, updates, and deletions, and write them into the WAL log file. This mechanism uses the records stored in the WAL file to roll forward changes made since the last full database backup. This minimizes downtime and saves storage space, since only one copy of the full backup — plus the incremental changes before the outage occurred — will need to be recovered.
The retention period is currently two weeks. Within the two weeks period, we are able to recover to a point in time. Per current setup, we keep two copies of base backup files and all the WAL (Write Ahead Logs) that are needed to roll the database forward to the desired time.
Our Recovery Point Objective (RPO) is three (3) hours, and our Recovery Time Objective (RTO) is 48 hours. Medallia for Digital has an RPO of two (2) hours and an RTO of 48 hours. It should be noted these metrics are for full catastrophic disaster recovery events.
Disaster Recovery Testing
Medallia conducts annual DR tests of instances to ensure that disaster recovery procedures are completely documented and can be executed safely in the event of a disaster. We also test a number of critical components more frequently.