Disaster Recovery — How We Secure and Protect Your Data

The storage architecture, encryption, and recovery flow behind Uplevel's Disaster Recovery service — and how to invoke it when an incident actually happens.

Security Updated August 21, 2025

To enable Disaster Recovery, see Storage Backup Services. This article covers how the DR archive is protected and what happens during an actual recovery.

Storage architecture

Your Disaster Recovery archive lives on a dedicated virtual drive attached to an isolated virtual machine inside our enterprise-grade infrastructure. Firewall rules separate that VM from every other system in the data centre, creating a sealed enclave for the DR data.

Access to the archive is gated by your customer-specific hardware gateway — each gateway authenticates against the backend with a hardened SSL/TLS certificate before it can pull anything from its own archive.

Encryption

We use multiple layers of industry-standard cryptography:

  • DR archives are encrypted at rest with AES-256 — the same standard the U.S. government uses for classified data.
  • Data in transit moves through AES-encrypted VPN tunnels, protected by 2048-bit PKI with SSL/TLS certificates.
  • The combination keeps the archive completely isolated from ordinary local-network access and from generic VPN clients.

Gateway-side security

The gateway hardware that protects the on-site half of the picture has its own defences:

  • The gateway’s NAS drive is encrypted with full-disk encryption.
  • The decryption key is held in a hardware-secured zone that resists physical tampering — even pulling the drive out doesn’t expose the data.
  • All of the above means a stolen gateway is not an exfiltration event.

Ransomware protection via BTRFS snapshots

Local protection against ransomware leverages the BTRFS copy-on-write (CoW) filesystem built into the gateway. The gateway takes read-only, immutable snapshots of the data it holds. Because the snapshots cannot be modified after creation, an active ransomware process cannot encrypt or alter them.

The snapshots are highly efficient: BTRFS only stores the differences between versions rather than full copies, so even frequent snapshots don’t blow up storage usage. Combined with the gateway’s encrypted storage and isolated architecture, the snapshots are the front-line ransomware defence: after the network is cleaned up, the share rolls forward from an untouched snapshot.

For end-user recovery from a snapshot, see Restoring Files and Directories from Snapshots.

What happens during a recovery

When you activate DR after an incident, the recovery flow goes like this:

  1. We download the most recent DR image¹ to a new gateway.
  2. The gateway is prepped for overnight shipping to your location, with a target of arrival by 8 a.m. the next business morning.
  3. On site, the only things you need to do are plug in the new gateway’s Ethernet cables and power.
  4. If the recovery location uses a different network design from the original site, expect to remap network drives in the operating system. If the site is unchanged, the gateway plugs in and Just Works.

Throughout the recovery the data stays protected by the same anti-theft posture as in normal operation: the gateway has to authenticate against the cloud before it can decrypt its own volume, so a hardware compromise during shipping is not a data disclosure event.

In an actual disaster

Contact Uplevel Support immediately:

¹ Next-morning delivery of the complete DR image depends on when we receive the disaster notification, the overnight carrier’s cut-off times, and the total size of the image. If the full image can’t complete before the cut-off, we’ll ship the gateway with the core business-critical data and continue syncing the rest after the hardware is installed at your location — so the most important operations resume right away while the background sync finishes.

Related articles