Configuring PITR for Compliance

This tutorial covers how to configure Point-in-Time Recovery (PITR) in FireBackup to meet regulatory compliance requirements. You'll learn how to set up continuous data capture, configure retention policies, and generate audit reports for compliance audits.

What You'll Learn

• Understand PITR architecture and data flow
• Configure PITR for different compliance frameworks (SOC 2, HIPAA, GDPR, PCI-DSS)
• Set up appropriate retention policies
• Generate compliance reports and audit logs
• Test recovery procedures for auditor demonstrations

Prerequisites

• FireBackup Pro or Enterprise license (PITR requires Pro+)
• At least one Firebase project connected
• Storage destination configured
• Understanding of your compliance requirements

Time Required

Approximately 30-45 minutes

---

Understanding PITR

What is Point-in-Time Recovery?

PITR captures every change to your Firestore database in real-time, allowing you to restore to any point in time, not just when scheduled backups ran.

PITR vs Scheduled Backups

Feature	Scheduled Backups	PITR
RPO (Recovery Point Objective)	Hours	Seconds
Data captured	Full snapshot	Incremental changes
Storage usage	Higher	Lower
Restore granularity	Per backup	Any timestamp
Compliance suitability	Basic	Advanced

---

Step 1: Enable PITR for a Project

Using the Dashboard

1. Log in to FireBackup

2. Navigate to Projects

3. Select your project

4. Go to the PITR tab

5. Toggle Enable Point-in-Time Recovery

6. Configure settings:

   Setting	Description	Recommended
   Collections	Which collections to monitor	All (for compliance)
   Change Window	How long to retain changes	Based on compliance needs
   Batch Size	Changes per upload	100-500

7. Click Save

Using the API

curl -X PATCH https://api.firebackup.io/api/v1/projects/proj_abc123 \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "pitr": {
      "enabled": true,
      "collections": ["*"],
      "changeWindowDays": 30,
      "batchSize": 100
    }
  }'

---

Step 2: Configure Compliance-Specific Settings

SOC 2 Compliance

SOC 2 requires demonstrating data integrity, availability, and security controls.

Required Settings:

{
  "pitr": {
    "enabled": true,
    "collections": ["*"],
    "changeWindowDays": 90,
    "auditLogging": true,
    "encryptionRequired": true
  },
  "retention": {
    "minimumDays": 365,
    "deleteAfterDays": null
  },
  "audit": {
    "enabled": true,
    "events": ["backup.created", "backup.restored", "pitr.enabled", "pitr.restored"]
  }
}

Dashboard Configuration:

1. PITR Settings:

   • Change Window: 90 days
   • All collections monitored

2. Settings → Security:

   • Enable audit logging
   • Require encryption for all backups

3. Settings → Retention:

   • Minimum retention: 365 days

HIPAA Compliance

HIPAA requires strict data protection for Protected Health Information (PHI).

Required Settings:

{
  "pitr": {
    "enabled": true,
    "collections": ["patients", "medical_records", "appointments", "*"],
    "changeWindowDays": 180,
    "auditLogging": true
  },
  "retention": {
    "minimumDays": 2190,
    "deleteAfterDays": 2555
  },
  "encryption": {
    "atRest": true,
    "inTransit": true,
    "keyRotation": true,
    "keyRotationDays": 90
  },
  "access": {
    "mfaRequired": true,
    "sessionTimeout": 1800
  }
}

Dashboard Configuration:

1. PITR Settings:

   • Change Window: 180 days (6 months)
   • Monitor all PHI-containing collections

2. Settings → Security:

   • Enable MFA for all users
   • Session timeout: 30 minutes
   • Enable encryption key rotation (90 days)

3. Settings → Retention:

   • Minimum retention: 6 years (2190 days)
   • Maximum retention: 7 years (2555 days)

GDPR Compliance

GDPR requires data protection, right to erasure, and data portability.

Required Settings:

{
  "pitr": {
    "enabled": true,
    "collections": ["*"],
    "changeWindowDays": 30,
    "auditLogging": true
  },
  "retention": {
    "minimumDays": 30,
    "deleteAfterDays": 365,
    "autoDelete": true
  },
  "dataSubjectRights": {
    "exportEnabled": true,
    "deleteEnabled": true
  },
  "audit": {
    "dataAccessLogging": true
  }
}

Dashboard Configuration:

1. PITR Settings:

   • Change Window: 30 days
   • Enable change tracking for deletion audits

2. Settings → Retention:

   • Configure auto-deletion after retention period
   • Enable data export capability

3. Settings → Audit:

   • Log all data access events

PCI-DSS Compliance

PCI-DSS requires protection of cardholder data.

Required Settings:

{
  "pitr": {
    "enabled": true,
    "collections": ["transactions", "payments", "*"],
    "changeWindowDays": 90,
    "auditLogging": true
  },
  "retention": {
    "minimumDays": 365,
    "deleteAfterDays": 1095
  },
  "encryption": {
    "atRest": true,
    "algorithm": "aes-256-gcm",
    "keyManagement": "external"
  },
  "access": {
    "mfaRequired": true,
    "ipAllowlist": ["10.0.0.0/8"],
    "roleBasedAccess": true
  }
}

---

Step 3: Set Up Retention Policies

Understanding Retention

Configure Retention in Dashboard

1. Navigate to Settings → Retention

2. Configure by compliance framework:

Framework	PITR Window	Backup Retention	Archive
SOC 2	90 days	1 year	7 years
HIPAA	180 days	6 years	7 years
GDPR	30 days	As needed	Auto-delete
PCI-DSS	90 days	1 year	3 years

3. Enable Legal Hold for data under litigation

Configure via API

curl -X PUT https://api.firebackup.io/api/v1/organizations/org_abc/settings/retention \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "default": {
      "pitrWindowDays": 90,
      "backupRetentionDays": 365,
      "archiveAfterDays": 90,
      "deleteAfterDays": 2555
    },
    "projects": {
      "proj_hipaa_app": {
        "pitrWindowDays": 180,
        "backupRetentionDays": 2190,
        "archiveAfterDays": 180,
        "deleteAfterDays": 2555
      }
    }
  }'

---

Step 4: Configure Audit Logging

Enable Comprehensive Audit Logs

1. Navigate to Settings → Audit Log

2. Enable logging for all compliance-relevant events:

Event Category	Events
Authentication	Login, logout, failed attempts, MFA events
Authorization	Permission changes, role assignments
Data Access	Backup views, downloads, restores
Data Changes	Backup created, deleted, PITR enabled
Configuration	Settings changes, retention policy updates
Administrative	User management, organization changes

3. Configure log export:
   • Export destination: Your SIEM or log aggregator
   • Format: JSON or CEF
   • Frequency: Real-time or batched

Sample Audit Log Entry

{
  "timestamp": "2024-01-15T10:30:45.123Z",
  "eventType": "pitr.restore",
  "actor": {
    "id": "user_abc123",
    "email": "admin@company.com",
    "ip": "192.168.1.100",
    "userAgent": "Mozilla/5.0..."
  },
  "resource": {
    "type": "project",
    "id": "proj_xyz789",
    "name": "Production App"
  },
  "action": {
    "operation": "restore",
    "restorePoint": "2024-01-15T09:00:00.000Z",
    "collections": ["users", "orders"]
  },
  "result": "success",
  "metadata": {
    "duration": 45000,
    "recordsRestored": 15234,
    "organizationId": "org_abc123"
  }
}

Export Audit Logs

# Export audit logs for compliance review
curl -X GET "https://api.firebackup.io/api/v1/audit-logs?from=2024-01-01&to=2024-01-31&format=json" \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -o audit_logs_january.json

# Export in CEF format for SIEM
curl -X GET "https://api.firebackup.io/api/v1/audit-logs?from=2024-01-01&to=2024-01-31&format=cef" \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -o audit_logs_january.cef

---

Step 5: Test Recovery Procedures

Document Recovery Procedures

For compliance audits, you need documented and tested recovery procedures.

Recovery Runbook Template:

# PITR Recovery Procedure

## Purpose
Restore Firestore data to a specific point in time.

## Prerequisites
- Admin access to FireBackup
- Target Firebase project credentials
- Approval from Data Owner

## Procedure

### 1. Identify Recovery Point
- Review audit logs to determine data loss event
- Identify the timestamp just before the incident
- Document the recovery point timestamp

### 2. Initiate Recovery
- Log in to FireBackup dashboard
- Navigate to Projects → [Project Name] → PITR
- Select recovery point timestamp
- Choose collections to restore
- Review and confirm

### 3. Execute Recovery
- Click "Start Restore"
- Monitor progress
- Verify data integrity post-restore

### 4. Post-Recovery
- Document the recovery in incident log
- Update audit trail
- Notify stakeholders
- Schedule post-incident review

Perform Test Recovery

1. Create a test project or use a staging environment

2. Make known changes:

   // Record current timestamp
   const beforeChange = new Date().toISOString();
   
   // Make changes to test data
   await db.collection('test').doc('doc1').set({ value: 'original' });
   await delay(5000);
   await db.collection('test').doc('doc1').set({ value: 'changed' });

3. Perform PITR restore to beforeChange timestamp

4. Verify restoration:

   const doc = await db.collection('test').doc('doc1').get();
   console.log(doc.data().value); // Should be 'original'

5. Document the test with screenshots and timestamps

---

Step 6: Generate Compliance Reports

Available Reports

Report	Description	Frameworks
Backup Summary	All backups with status, size, duration	All
PITR Activity	Change capture statistics	All
Recovery Tests	Recovery test results	SOC 2, HIPAA
Access Audit	Who accessed what data	All
Retention Compliance	Retention policy adherence	All
Encryption Status	Encryption configuration and key rotation	HIPAA, PCI-DSS

Generate Reports via Dashboard

1. Navigate to Reports

2. Select report type

3. Configure parameters:

   • Date range
   • Projects
   • Format (PDF, CSV, JSON)

4. Click Generate

Generate Reports via API

# Generate backup summary report
curl -X POST https://api.firebackup.io/api/v1/reports/backup-summary \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "dateFrom": "2024-01-01",
    "dateTo": "2024-03-31",
    "projects": ["proj_abc123"],
    "format": "pdf"
  }'

# Generate compliance audit report
curl -X POST https://api.firebackup.io/api/v1/reports/compliance-audit \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "framework": "soc2",
    "quarter": "Q1-2024",
    "format": "pdf"
  }'

Sample Compliance Report

FIREBACKUP COMPLIANCE REPORT SOC 2 Type II - Period: Q1 2024

---

EXECUTIVE SUMMARY

Metric	Value
Organization	Acme Corp
Projects Covered	5
Backup Success Rate	99.8%
PITR Coverage	100%
Encryption	AES-256-GCM (All backups)

BACKUP STATISTICS

Metric	Value
Total Backups	2,847
Successful	2,841 (99.8%)
Failed	6 (0.2%)
Average Duration	4m 32s
Total Data Protected	1.2 TB

PITR STATISTICS

Metric	Value
Change Windows Active	5/5 projects
Changes Captured	1,247,892
Recovery Points Available	Continuous (90 days)
Test Recoveries Performed	12
Test Recovery Success Rate	100%

RETENTION COMPLIANCE

Metric	Value
Policy	365-day minimum retention
Compliance Status	✓ Compliant
Oldest Backup	2023-04-15
Premature Deletions	0

ACCESS AUDIT SUMMARY

Metric	Value
Total Access Events	1,892
Unique Users	12
Unauthorized Access Attempts	0
MFA Enforcement	100%

ENCRYPTION STATUS

Metric	Value
Algorithm	AES-256-GCM
Key Rotation	Enabled (90-day cycle)
Last Key Rotation	2024-03-01
Next Rotation Due	2024-05-30

---

Compliance Checklist

Pre-Audit Checklist

• PITR enabled for all production projects
• Retention policies configured per compliance framework
• Audit logging enabled and exported to SIEM
• Encryption verified (at rest and in transit)
• Access controls reviewed (RBAC, MFA)
• Recovery procedures documented
• Recovery tests performed and documented
• Compliance reports generated
• Incident response plan updated

During Audit

• Demonstrate PITR configuration
• Show retention policy settings
• Provide audit log exports
• Demonstrate recovery procedure
• Provide encryption documentation
• Show access control configuration
• Present compliance reports

---

Troubleshooting

PITR Not Capturing Changes

Cause: Worker not running or Firebase listener disconnected

Solution:

1. Check PITR worker status in dashboard
2. Verify Firebase project credentials are valid
3. Check for network connectivity issues

Missing Changes in Window

Cause: Changes older than retention window

Solution:

1. Changes are automatically removed after window expires
2. Increase change window if longer retention needed
3. For permanent retention, use scheduled backups

Audit Log Gaps

Cause: Log export failures or configuration issues

Solution:

1. Check log export destination connectivity
2. Verify export credentials are valid
3. Review export job status in settings

---

Next Steps

• Configure webhooks for compliance alerts
• Set up storage with compliance-grade configuration
• Review Security Hardening for additional controls

---

Related

• PITR Overview - Basic PITR usage
• Security Hardening - Enterprise security
• Audit Logs - API documentation