Business Continuity & Disaster Recovery Policy

1. Purpose and Scope

The purpose of this Business Continuity & Disaster Recovery Policy (“Policy”) is to establish a comprehensive framework for Vestra Holdings (“Vestra”) to ensure the continuity of critical business operations and the rapid recovery of essential services in the event of a disruption, disaster, or crisis. This Policy applies to all Vestra employees, contractors, third-party service providers, and any other parties involved in the operation or support of Vestra’s real estate investment platform and related business functions.

This document is designed to meet industry best practices, regulatory requirements (including but not limited to SEC, FINRA, GDPR where applicable), and align with standards such as ISO 22301 (Business Continuity Management Systems) and NIST SP 800-34 (Contingency Planning Guide for Federal Information Systems). The Policy covers all business units, IT systems, data centers, cloud environments, physical offices, and communication channels used by Vestra.

2. Definitions

• Business Continuity (BC): The capability of the organization to continue delivery of products or services at acceptable predefined levels following a disruptive incident.
• Disaster Recovery (DR): The process by which Vestra restores IT systems, data, and infrastructure after a disruption.
• Critical Business Functions: Processes or operations whose interruption would have a material impact on Vestra’s ability to serve clients or comply with legal/regulatory obligations.
• Recovery Time Objective (RTO): The targeted duration within which a business process must be restored after a disruption.
• Recovery Point Objective (RPO): The maximum tolerable period in which data might be lost due to an incident.

3. Governance & Responsibilities

3.1 Oversight

The Board of Directors has ultimate responsibility for approving this Policy and overseeing its implementation. The Chief Executive Officer delegates day-to-day management to the Business Continuity Manager (BCM), who coordinates planning across departments.

3.2 Roles

• Business Continuity Manager: Develops/maintains BC/DR plans; leads response efforts; conducts training/testing.
• IT Director: Ensures technical DR plans are current; manages backups; oversees system restoration.
• Department Heads: Identify critical processes; maintain departmental continuity procedures.
• All Employees: Participate in training/drills; follow instructions during incidents.

4. Risk Assessment & Business Impact Analysis

4.1 Risk Identification

Vestra conducts annual risk assessments to identify threats including but not limited to:

• Natural disasters (earthquake, flood)
• Cyberattacks/ransomware
• Power outages
• Pandemic/epidemic events
• Supply chain disruptions
• Insider threats

4.2 Business Impact Analysis (BIA)

A BIA is performed annually or upon significant change in operations/technology:

• Identifies critical functions/processes
• Determines RTO/RPO for each function
• Assesses financial/regulatory/customer impact from downtime

Results inform prioritization of recovery strategies.

5. Preventive Controls & Mitigation Strategies

5.1 Data Protection

All client/investment data is encrypted at rest and in transit using industry-standard protocols including AES256/TLS1.3. Regular backups are performed daily with offsite/cloud replication.

5.2 System Redundancy

Key systems are hosted on geographically redundant cloud infrastructure with automatic failover capabilities.

5.3 Physical Security

Data centers/offices employ multi-factor access controls, surveillance cameras, fire suppression systems.

5.4 Vendor Management

Third-party service providers must demonstrate robust BC/DR capabilities as part of onboarding/due diligence.

6. Incident Response Procedures

6.1 Activation Criteria

The BCM may activate BC/DR plans if:

• Critical systems/processes are disrupted beyond RTO thresholds
• A disaster/emergency is declared by local authorities
• Directed by executive management

6.2 Notification Protocols

Upon activation:

1. Notify Crisis Management Team via phone/email/SMS tree.
2. Inform employees via internal communications platform.
3. Notify clients/investors via email/web updates if their services are impacted.
4. Report material events to regulators as required.

6.3 Command Center Operations

A virtual or physical command center will be established for coordination until normal operations resume.

7. Recovery Strategies & Procedures

7.1 IT Disaster Recovery Steps

1. Assess damage/failure scope.
2. Restore from most recent clean backup within RPO window.
3. Validate system integrity/security before resuming operations.
4. Prioritize restoration based on BIA-defined criticality.

Cloud-Based Services:

Leverage cloud provider’s DR tools for rapid failover/recovery.

On-Premises Systems:

Restore from offsite backups; coordinate with vendors as needed.

7.2 Manual Workarounds

Where automated systems are unavailable:

• Use paper/manual logs for transactions
• Employ alternative communication channels (mobile phones)
• Document all manual activities for later reconciliation

8. Communication Plan

Clear internal/external communication is vital during disruptions:

Internal:

Regular status updates via secure messaging/email/video calls.

External:

Pre-approved templates for client notifications; dedicated hotline/email address for inquiries:
support@vestraproperties.proo | +63 946 449 8012
Website banner updates as appropriate.

Regulatory Reporting:

Notify relevant authorities per jurisdictional requirements within mandated timeframes.

9. Training & Awareness

All staff receive annual BC/DR training covering roles/responsibilities and emergency procedures. New hires complete orientation within first month.

Tabletop exercises/drills are conducted at least twice yearly—one announced, one unannounced—to test readiness across scenarios such as cyberattack or natural disaster.

Lessons learned from drills/incidents are incorporated into plan revisions.

10. Testing & Maintenance

Plans are reviewed/tested at minimum annually or after major changes/incidents:

Testing Methods:

• Tabletop exercises: Simulated discussion-based scenarios
• Functional tests: Actual failover/restoration of select systems
• Full-scale drills: Organization-wide simulation involving all teams

Documentation:

Test results documented with corrective actions tracked through resolution.

Plans updated post-testing or when significant changes occur in technology/business structure/regulations.

11. Continuous Improvement

Vestra commits to continuous improvement through post-mortem analysis after every incident/test:

• Root cause analysis performed
• Action items assigned/tracked
• Updates made to policies/procedures/training materials

Feedback solicited from staff/clients/vendors post-event/test for further enhancement.

12. Plan Distribution & Access Control

Current versions of BC/DR plans stored securely on Vestra’s document management system with restricted access based on role/responsibility[3]. Hard copies maintained at designated secure locations if required by regulation/jurisdiction.

Employees notified promptly when updates occur; acknowledgment required upon review completion.

Appendix: Regulatory References

This policy aligns with requirements/guidance from:

• ISO/IEC 22301:2019 – Security and resilience — Business continuity management systems — Requirements
• NIST SP 800–34 Rev 1 – Contingency Planning Guide for Federal Information Systems
• SEC Regulation S-P/SIDRA/Federal Reserve guidance
• Google Play Developer Program Policies – Financial Services Compliance
• Local/state/federal real estate regulations

For more information about our compliance program contact compliance@vestraproperties.pro .

Document Control

Version: v1
Effective Date: Jan 25th, 2026
Next Review Date: Jan 25th, 2027
Approved By: Board of Directors – Vestra Holdings