Questions about Recovery Point Objective (RPO) and Recovery Time Objective (RTO)

Problem statement

Are there any available details for Auth0/Okta’s RPO and RTO for disaster recovery?


RPO (Recovery Point Objective) and RTO (Recovery Time Objective) can be found in our Security & Privacy Documentation for Customer Identity Cloud, hosted at here and also here. The specific section to review is “17. Business Continuity and Disaster Recovery.”

Business Continuity and Disaster Recovery.
Okta maintains policies and procedures for responding to an emergency or a force majeure event that causes or could cause Okta's
infrastructure to experience a total, or unacceptably degraded, loss of service ("DR/BC Event"). Such procedures include:
a) Data Backups: A policy and process for performing periodic backups of production file systems and databases to meet the
RPO and RTO described below:
i. Recovery Point Objective ("RPO") is no more than 1 hour;
ii. Recovery Time Objective ("RTO") is no more than 24 hours to restoration of the full Service.
b) Business Continuity Plan ("BCP"): A formal process to address how a DR/BC Event that disrupts Okta's non-Service
functions (i.e., corporate processes) might be managed in order to minimize loss of vital resources. The BCP, a copy of
which is made available to a customer upon written request, is tested annually.
c) Disaster Recovery Plan ("DRP"): A formal process for the production environment that addresses how a DR/BC Event
that disrupts Okta's Service might be managed to minimize loss of operations. The DRP includes requirements for testing
on a regular basis, currently four times a year. Confirmation of such testing is available to a customer upon written

Compliance can provide access to the Whistic profile to our paying customers, where Auth0 shares our disaster recovery and business continuity testing results. This requires the user to raise a Support ticket requesting to be added to Whistic. Our Support team will reach out to the Compliance Team, giving them the customer’s name, email address, company name, and company website address.