Are appropriate security and disaster recovery procedures in place?
Yes. We use a resilient cluster in AWS for the database with Hot failover with nightly snapshots taken that we retain for one week. Given the nature of the data we hold and the fact it is all encrypted we feel this is appropriate as we do not want to hold large quantities of backup data. In the event of AWS experiencing significant outages we are confident in our procedures to restore operation of the service within 24 hours.
Only our development team has access to database via key based authentication and any PPI in the database is fully encrypted.