1. Document Control
| Document owner | Director, Zithera Group Pty Ltd |
|---|---|
| Version | 1.0 |
| Last reviewed | May 2026 |
| Review cycle | Annually, and after any major incident or significant change to systems |
| Classification | Shareable with clients and prospective partners |
2. Purpose & Scope
This Business Continuity Plan (BCP) describes how Zithera Group Pty Ltd ("Zithera") maintains its services and recovers from disruptive events. Its purpose is to ensure that critical business functions continue with minimal interruption, that customer data remains protected, and that clients and stakeholders are kept informed throughout any incident.
The plan covers Zithera's hosted software products, the cloud infrastructure that supports them, customer support operations, and the people and processes required to deliver them. It applies to events such as cloud-platform outages, data loss, cyber-security incidents, key-person unavailability and third-party service failures.
3. About Zithera
Zithera is a cloud and AI native technology company that designs, builds and operates web and mobile applications — including Zithera Pass, Zithera Voice and associated services. The company operates on a remote-friendly model with no single physical premises critical to its operations. All production systems run on managed cloud infrastructure, which means the business is not dependent on any one office or location to keep services available.
4. Critical Business Functions
The functions below are considered critical and are prioritised during any disruption:
| Function | Why it matters |
|---|---|
| Availability of hosted applications | Customers rely on continuous access to Zithera's products. |
| Integrity and security of customer data | Data must remain protected, accurate and recoverable at all times. |
| Customer support and communication | Customers need a reliable channel to report issues and receive updates. |
| Software deployment and incident response | The ability to deploy fixes and respond to incidents must be preserved. |
5. Risk Assessment
Zithera maintains awareness of the key threats that could disrupt its operations:
| Risk | Potential impact | Likelihood |
|---|---|---|
| Cloud platform / hosting outage | Temporary unavailability of one or more applications | Low–Medium |
| Data loss or corruption | Loss of recent customer data | Low |
| Cyber-security incident | Unauthorised access, service disruption or data exposure | Low–Medium |
| Key-person unavailability | Delays in development, deployment or support | Medium |
| Third-party / vendor service failure | Loss of a dependent service (e.g. email, payments) | Low–Medium |
6. Business Impact Analysis
For each system, Zithera defines a Recovery Time Objective (RTO — how quickly service is restored) and a Recovery Point Objective (RPO — the maximum acceptable data loss measured in time).
| System | RTO | RPO |
|---|---|---|
| Customer-facing applications & APIs | 4 hours | 1 hour |
| Customer databases | 4 hours | 1 hour |
| Supporting / internal systems | 24 hours | 24 hours |
7. Recovery Strategies
Data & backups
Customer data is backed up automatically on a daily basis, with backups retained for 30 days in geo-redundant cloud storage separate from the primary systems. Backups are periodically restore-tested to confirm they are usable.
Infrastructure
Production systems run on managed cloud infrastructure with redundancy across multiple availability zones. Application configuration and deployment processes are version-controlled, allowing services to be rebuilt and redeployed to healthy infrastructure when required.
People
Knowledge of systems and procedures is documented so that recovery does not depend on a single individual. Critical credentials and access details are securely stored and available to authorised personnel.
Third-party vendors
Zithera selects established providers for critical dependencies (hosting, email, payments) and monitors their status. Where practical, alternatives are identified so the business can switch providers if a vendor suffers a prolonged failure.
8. Key-Person Continuity
As a founder-led company, Zithera recognises that continuity of leadership and system access must not depend on any single individual. The following arrangements ensure the business can keep operating if a key person becomes unavailable:
- Shared leadership — a co-director is able to assume responsibility for operations and decision-making, so authority is not held by one person alone.
- Access & credentials — critical credentials, accounts and infrastructure access are securely stored and available to more than one authorised person, ensuring no system is locked to a single individual.
- Documentation — systems, deployment procedures and recovery steps are documented so they can be operated and maintained by another qualified person.
- Client commitment — in the event of a prolonged key-person absence, the co-director will maintain services, honour existing client commitments and communicate directly with affected clients about ongoing support.
These arrangements are reviewed as part of the annual plan review (Section 12).
9. Incident Response & Escalation
When a disruptive event is detected, Zithera follows these steps:
- Detect & assess — confirm the incident, identify affected systems and estimate severity.
- Contain — take immediate action to limit impact and protect customer data.
- Communicate — notify affected customers and stakeholders (see Section 10).
- Recover — restore services in priority order, guided by the RTO/RPO targets above.
- Review — once resolved, conduct a post-incident review and update this plan with any lessons learned.
10. Communication Plan
Clear communication is a priority during any incident. Zithera will:
- Acknowledge significant incidents to affected customers as soon as they are confirmed.
- Provide regular status updates until the incident is resolved.
- Issue a summary after resolution, including the cause and any preventative measures taken.
Incidents and continuity concerns can be raised at incident@zithera.com.au.
11. Roles & Responsibilities
| Role | Responsibility |
|---|---|
| Director / Plan Owner | Overall accountability for business continuity; declares incidents and authorises recovery decisions. |
| Technical Lead | Coordinates technical recovery, restores systems and verifies data integrity. |
| Communications Contact | Keeps customers and stakeholders informed throughout the incident. |
In a small team, one person may hold more than one role; responsibilities are documented so they can be reassigned if someone is unavailable.
12. Testing, Maintenance & Review
This plan is a living document. Zithera:
- Reviews the plan at least annually and after any major incident or significant system change.
- Periodically tests backup restoration to confirm recovery objectives can be met.
- Updates roles, contacts and recovery details whenever they change.