Internal · Disaster Recovery + Business Continuity
Capital Association Management
Admin · DR & BCP

Disaster Recovery & Business Continuity Plan

What happens to CMG operations if the office burns down, the AppFolio data center goes offline, Tizi gets hit by a bus, or ransomware hits at 2 AM Sunday. Tested annually. RTO 4 hours · RPO 1 hour for our highest-tier services.

14DR scenarios documented
4 hrRTO · tier-1 services
1 hrRPO · tier-1 data
Mar 2026Last full DR exercise
100%Backup integrity test pass · 12mo

Tier-by-tier RTO/RPO commitments

Service
Tier
RTO
RPO
Backup location
Owner ledger / AR · billing accuracy
1
4 hr
1 hr
AppFolio + S3 hourly
Plan →
Bank / cash position
1
4 hr
1 hr
Plaid + bank login redundancy
Plan →
Payroll / vendor payments
1
8 hr
8 hr
ACH provider · Bill.com fallback
Plan →
Records (§718.111(12)) requests
1
4 hr
24 hr
Drive + S3 nightly
Plan →
Owner portal & broadcast
2
8 hr
4 hr
Cloudflare Pages multi-region
Plan →
Vendor portal · scorecards
2
8 hr
4 hr
Cloudflare Pages
Plan →
Concierge desktop tools
2
12 hr
12 hr
Plaza Tower local + central
Plan →
Email / SMS · Twilio + Resend
2
4 hr
1 hr
Provider redundancy
Plan →
Drawing vault / SOPs
3
24 hr
24 hr
Drive + S3 nightly
Plan →
Internal Wiki + manuals
3
24 hr
7 day
Drive + GitHub mirror
Plan →
Coaching log + HR records
3
48 hr
24 hr
S3 encrypted · AGF holds key
Plan →

Scenario playbooks

🔒 Ransomware on AppFolio data sync

Likelihood: low · Impact: high · Last drill: Mar 14, 2026
  1. Hour 0–1: Detection (any GL drift >$5 surfaces in DQ monitor; sync errors in 3 consecutive nightly runs). Disconnect sync; engage AGF + AppFolio support.
  2. Hour 1–4: Restore from last known-clean S3 snapshot (1-hour RPO target). Re-validate against bank reconciliations. Run DQ monitor on restored data.
  3. Hour 4–8: Owner-facing communications: portal banner ("we're verifying recent activity"); estoppel certs paused only if affected. Insurance carrier (cyber endorsement) notified.
  4. Hour 8–24: Forensic review · root-cause memo · remediation plan to BOD. Double-write window for 14 days post-recovery.
  5. Post-incident: Tabletop within 30 days · DR plan updates · annual re-test added.

🔥 CMG office unusable (fire / flood / extended power)

Likelihood: low · Impact: medium · Tested via remote-week Mar 2025
  1. Hour 0–2: Confirm staff safety. Activate work-from-anywhere posture (every system is cloud-based, so this is mostly a confidence move).
  2. Hour 2–4: Set up alternate intake for paper mail at Plaza Tower front desk (rotating with concierge). Forwarding order to USPS for office address.
  3. Hour 4–24: Vendor / closing attorney communications: alternate contacts published. Phone forwarding to mobile lines.
  4. Day 2+: Find temp office space (12-month options pre-vetted: 3 candidate co-working contracts on file). Insurance claim on office contents.
  5. Re-occupancy: Punch-list audit · IT reset · paper records reconcile.

🌀 Hurricane direct hit — Tallahassee

Likelihood: 8% any given year · Impact: catastrophic · Drilled annually pre-season
  1. T-72 hr: Activation per Emergency Tree across all 18 properties. Generators fueled. Critical-staff coverage confirmed.
  2. T-24 hr: Evacuation if mandatory. Critical-data + records loaded to S3. CMG office secured.
  3. T+0 to +12: Damage walk per Insurance Claims runbook. FNOL filed within 24h with all relevant carriers.
  4. T+12 to +72: Owner mass-communication via Broadcast (cellular failover). Community Calendar updated. Drawing vault for repair scoping.
  5. Recovery: Insurance Claims module drives all 18 association recoveries simultaneously. AGF on standby for FEMA / SBA.

🏢 Critical vendor failure (AppFolio prolonged outage)

Likelihood: low · Impact: high · Last simulated: Sep 2025
  1. Hour 0–4: Switch to read-only ledger views from last nightly export. Estoppel certs hand-built from local cache for active closings.
  2. Hour 4–24: Manager-driven manual AR / AP via spreadsheet templates. Vendor portal continues to read from S3 cache.
  3. Day 2–7: Owner-facing slowdown notice. Critical workflows (closings, NOLAs) take priority; lower-tier work-orders queue.
  4. Recovery: Sync re-establishes. DQ monitor runs full audit. Reconcile any divergence; auto-correct or human-review.
  5. Permanent: If > 7 days, AppFolio Stack partner status accelerates direct read API + alternate vendor evaluation begins.

🤕 Loss of key person (Tizi, founder, lead manager)

Likelihood: real · Impact: catastrophic if uncovered · Skill matrix tracks exposure
  1. Hour 0–24: Founder + remaining ops leadership convene. Skill Matrix module surfaces SPOF coverage gaps. Cross-train plans accelerated.
  2. Day 1–7: Critical-decision authority delegations. Wiki + manuals are the runbook. AGF + Sterling broker briefed on continuity.
  3. Day 7–30: Hire pipeline activated (board-approved succession candidates). Interim coverage matrix activated; explicit accountability on each pillar.
  4. Long-term: Knowledge documented; institutional memory survives. Annual succession plan refresh.

🛂 Identity provider compromise (Cloudflare Access / OAuth)

Likelihood: low · Impact: high · Layered with hardware key + sigchain
  1. Hour 0–1: Force-revoke all sessions; require re-auth with hardware keys. Audit log review for last 24 hr · hash-chain integrity check.
  2. Hour 1–8: Review external Drive shares · auto-revoke any not on the allow-list. Vendor portal re-auth required.
  3. Hour 8–24: Owner-facing notice if any account disclosure suspected. AGF + insurance cyber endorsement engaged.
  4. Recovery: Provider remediation confirmed; security hardening (additional MFA factors) added.

Resilience features baked in

S3 backups

hourly

Encrypted · 7-yr retention · cross-region

Hash-chain

tamper

Audit log integrity provable forensically

Cloudflare Pages

multi-region

Auto-failover · 99.99% SLA

Cyber insurance

$1M

Sterling endorsement · annual renewal

Hardware MFA

100%

Staff keys · YubiKey + biometric

3-2-1 backup

tested

3 copies · 2 media types · 1 off-site

RPO < 1 hr

tier-1

Worst-case loss for billing data

Annual DR drill

live

Real restore · not paper test

Drill log · trailing 12 months

DrillDateTypeResultActions
Ransomware tabletopMar 14, 2026TabletopPass · 4 minor improvementsFaster sync-disconnect runbook · added
Office unusable simulationMar 17–24, 2025Live (full week)Pass · concierge handoff smoothUSPS forward template added
S3 backup restoreFeb 8, 2026Live restore testPass · 38 min restoreDocumented sequence
AppFolio simulated outageSep 14, 2025Live (4 hr)Pass · manual AR functionalSpreadsheet template improved
Hurricane dry-run · all propertiesMay 15, 2025TabletopPass · pre-seasonFuel logistics improved
Identity provider failoverNov 2, 2025TabletopPass · key revocation testedHardware-key reissue runbook

Why this exists

Property management businesses traditionally treat continuity as "we'll figure it out." When 18 associations rely on this team, 3,400 owners depend on payments processing, and DBPR penalty timers don't pause for office fires — figuring it out at the moment is too late. This is the documented version of "we have a plan."

References

NIST SP 800-34 Contingency Planning · ISO 22301 BCMS framework · AICPA SOC2 CC9 (BCP) · FL §718 ongoing management obligation · Sterling cyber endorsement.