Business Impact Analysis
Effective: March 17, 2026 · DCF-167
1. Purpose
This Business Impact Analysis (BIA) identifies H33.ai's critical business functions, assesses the potential impact of disruptions, and determines Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) for each function. This document supports ISO 27001:2022 controls A.5.29 (Information security during disruption) and A.5.30 (ICT readiness for business continuity), as well as SOC 2 Availability criteria A1.2.
2. Methodology
The BIA was conducted using the following methodology:
- Identify critical business functions: All business processes and information systems were cataloged and assessed for criticality to H33.ai's operations, revenue, and customer commitments
- Assess impact of disruption: For each critical function, the potential impact of disruption was evaluated across five categories (Financial, Operational, Reputational, Legal/Regulatory, Customer) at multiple time intervals (1 hour, 4 hours, 24 hours, 72 hours)
- Determine RTO/RPO: Recovery Time Objectives and Recovery Point Objectives were established based on impact analysis, customer SLAs, and technical feasibility
- Identify dependencies: External and internal dependencies for each critical function were mapped
- Define recovery strategies: Recovery procedures and compensating controls were documented for each critical function
3. Critical Business Functions
3.1 H33 Authentication API
| Criticality | Critical |
| Description | Core post-quantum FHE biometric authentication API serving customer authentication requests at 2.17M auth/sec (production capacity) |
| RTO | 4 hours |
| RPO | 1 hour |
| Infrastructure | AWS c8g.metal-48xl (Graviton4), 96 workers, in-process DashMap ZKP cache |
| Impact of Loss | Customer authentication systems fail; revenue impact immediate; SLA penalties triggered; reputational damage within hours |
3.2 Auth1 Authentication Service
| Criticality | Critical |
| Description | Multi-tenant authentication service (H33 subsidiary) providing auth flows for H33 and tenant customers (Cachee, BabyZilla, RevMine, Mirror1, L100) |
| RTO | 4 hours |
| RPO | 1 hour |
| Infrastructure | AWS Elastic Beanstalk (z101-auth-prod), RDS PostgreSQL, ElastiCache Redis |
| Impact of Loss | All tenant authentication flows disrupted; cascading impact on tenant customer applications; regulatory notification requirements triggered |
3.3 Customer Data (RDS PostgreSQL)
| Criticality | Critical |
| Description | Primary relational database storing customer records, tenant configurations, credit balances, transaction logs, and authentication metadata |
| RTO | 1 hour |
| RPO | 15 minutes |
| Infrastructure | AWS RDS PostgreSQL (z101-postgres-prod) with automated backups, point-in-time recovery, and Multi-AZ deployment |
| Impact of Loss | Complete service outage; potential data loss; regulatory breach notification required; maximum financial and reputational impact |
3.4 Key Management
| Criticality | Critical |
| Description | Cryptographic key management for Dilithium signing keys, Kyber key exchange parameters, BFV FHE parameters, and TLS certificates |
| RTO | 1 hour |
| RPO | 0 (no data loss acceptable) |
| Infrastructure | AWS Secrets Manager, ACM for TLS certificates, application-level key storage |
| Impact of Loss | All cryptographic operations fail; authentication impossible; permanent data loss if key material is unrecoverable; maximum severity incident |
3.5 H33.ai Website
| Criticality | Medium |
| Description | Public-facing website including documentation, pricing, blog, and compliance artifacts |
| RTO | 24 hours |
| RPO | 24 hours |
| Infrastructure | Netlify CDN with CloudFront distribution |
| Impact of Loss | Reputational impact; inability for prospects to access documentation or pricing; no direct customer service impact |
3.6 Email / Communications
| Criticality | Medium |
| Description | Microsoft 365 email, calendar, and collaboration services for internal and external communications |
| RTO | 8 hours |
| RPO | N/A (managed by Microsoft 365 SLA) |
| Infrastructure | Microsoft 365 with HIPAA security package |
| Impact of Loss | Internal communication disruption; customer support delays; operational inefficiency; no direct service impact |
4. Impact Categories and Ratings
4.1 Impact Categories
- Financial: Direct revenue loss, SLA penalty payments, incident response costs, regulatory fines
- Operational: Inability to deliver core services, degraded system performance, staff productivity loss
- Reputational: Customer confidence loss, negative media coverage, partner relationship damage, market position erosion
- Legal/Regulatory: HIPAA breach notification requirements, SOC 2 audit findings, contractual SLA violations, potential litigation
- Customer: Customer service disruption, data accessibility loss, cascading failures in customer applications
4.2 Impact Ratings
| Critical | Immediate and severe impact across multiple categories. Core revenue-generating services are unavailable. Regulatory notification thresholds may be triggered. Requires immediate executive-level response. |
| High | Significant impact on operations or customer experience. Revenue loss within hours. Degraded service quality visible to customers. Requires priority response within 4 hours. |
| Medium | Moderate operational impact. Workarounds available. Limited direct customer impact. Revenue impact minimal within 24 hours. Standard response procedures apply. |
| Low | Minor inconvenience. No customer-facing impact. No revenue loss. Can be addressed during normal business operations. |
5. External Dependencies
H33.ai's critical business functions depend on the following external services:
| AWS (us-east-1) | Primary cloud infrastructure provider. Hosts compute (Graviton4), database (RDS), cache (ElastiCache), application platform (Elastic Beanstalk), secrets (Secrets Manager), certificates (ACM). Single-region dependency. |
| GitLab | Source code management and CI/CD pipeline. Disruption delays deployments but does not affect running production services. |
| Microsoft 365 | Email, calendar, and collaboration. Disruption affects internal communication but not production services. |
| Stripe | Payment processing for H33 credit purchases. Disruption prevents new purchases but does not affect existing credit balances or authentication services. |
| Twilio | SMS OTP delivery for Auth1 authentication. AWS SNS configured as automatic failover. |
| Netlify CDN | Static website hosting. Disruption affects website availability only; API services unaffected. |
6. Recovery Strategies
6.1 H33 Authentication API
- Deploy replacement Graviton4 instance from pre-configured AMI (target: 2 hours)
- FHE parameters and enrolled templates restored from encrypted RDS backup
- In-process DashMap ZKP cache rebuilds automatically on startup (warm-up period: ~5 minutes)
- DNS failover to standby instance via Route 53 health checks
6.2 Auth1 Authentication Service
- Elastic Beanstalk auto-recovery with health monitoring
- RDS Multi-AZ automatic failover (target: <5 minutes)
- ElastiCache Redis replica promotion for cache tier recovery
- Manual redeployment from GitLab if EB environment requires recreation (target: 1 hour)
6.3 Customer Data (RDS PostgreSQL)
- RDS automated backups with 7-day retention and point-in-time recovery to any second within the retention window
- Multi-AZ deployment with automatic failover to standby replica
- Manual snapshots taken before major changes (retained for 30 days)
- Cross-region snapshot copy for disaster recovery (performed monthly)
6.4 Key Management
- Cryptographic keys stored in AWS Secrets Manager with automatic replication
- Key material backed up to encrypted offline storage (updated quarterly)
- TLS certificates managed by ACM with automatic renewal
- Emergency key rotation procedures documented and tested annually
7. BCP/DR Testing
Business continuity and disaster recovery plans are tested as follows:
| Annual DR Test | Full restoration test of critical systems from backups, including RDS point-in-time recovery, Auth API deployment from AMI, and Auth1 EB redeployment |
| Quarterly Backup Verification | Automated verification that RDS backups are restorable and data integrity is maintained |
| Monthly Failover Test | RDS Multi-AZ failover test and ElastiCache replica promotion test |
| Post-Incident Review | Any unplanned outage triggers a post-incident review that validates and updates recovery procedures |
8. Review Schedule
This Business Impact Analysis is reviewed annually, or sooner if:
- Significant changes occur to H33.ai's infrastructure, services, or business model
- New critical dependencies are introduced
- A business continuity event occurs that reveals gaps in the analysis
- Customer SLA requirements change materially
- Regulatory requirements change (e.g., HIPAA, SOC 2 criteria updates)
The next scheduled review is March 2027.
Questions?
Contact the Security Officer at security@h33.ai or the Compliance team at compliance@h33.ai.
H33.ai, Inc. · 11533 Brighton Knoll Loop, Riverview, FL 33579 · 813-464-0945